oss-sec mailing list archives
Nginx ngx_http_close_connection function integer overflow - can anyone confirm this?
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 25 Apr 2013 23:36:17 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - From Bugtraq: http://www.securityfocus.com/archive/1/526439/30/0/threaded Website: http://safe3.com.cn I. BACKGROUND - --------------------- Nginx is an HTTP and reverse proxy server, as well as a mail proxy server, written by Igor Sysoev. For a long time, it has been running on many heavily loaded Russian sites including Yandex, Mail.Ru, VKontakte, and Rambler. According to Netcraft nginx served or proxied 12.96% busiest sites in April 2013. Here are some of the success stories: Netflix, Wordpress.com, FastMail.FM. II. DESCRIPTION - --------------------- Qihoo 360 Web Security Research Team discovered a critical vulnerability in nginx. The vulnerability is caused by a int overflow error within the Nginx ngx_http_close_connection function when r->count is less then 0 or more then 255, which could be exploited by remote attackers to compromise a vulnerable system via malicious http requests. III. AFFECTED PRODUCTS - --------------------------- Nginx all latest version IV. Exploits/PoCs - --------------------------------------- In-depth technical analysis of the vulnerability and a fully functional remote code execution exploit are available through the safe3q (at) gmail (dot) com [email concealed] In src\http\ngx_http_request_body.c ngx_http_discard_request_body function,we can make r->count++. V. VUPEN Threat Protection Program - ----------------------------------- VI. SOLUTION - ---------------- Validate the r->count input. VII. CREDIT - -------------- This vulnerability was discovered by Safe3 of Qihoo 360. VIII. ABOUT Qihoo 360 - --------------------------- Qihoo 360 is the leading provider of defensive and offensive web cloud security of China. IX. REFERENCES - ---------------------- http://nginx.org/en/ - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRehJQAAoJEBYNRVNeJnmTC8oP/1ueYNmvM+qx+60uYkB3+zzc zlV3w7ejZ09rXtV3Tl4x/znxSSai82E08I32Xgpx30E2fYpVjNhj9prJwWU8pZtp +pIGos9ZdEulmexn9A1snFgzjbF1foECpBPuSu8b1VZE7WjEBS3E0LWQg/UwC4cp AkvG8MGBJclg0HD+GzJVG9vVpOLeyDUyaqWV+6+nBNneqUo5dZRaLDm3iPEt2pDX 9wLMA0Ov0xKnhpzzcoca91IkES05p179feqoBH1CrF9sTCM0grj85JVyd3oyFFUB Espl6+OR2Tci1ckay5B0u00oRuYmaIOKCp4Njt0jBe0Kr8dFyTnCRZKTFQvumuTs GykmOesRxlTP6KEAypBxigVPuvp0rnnGKr3OJUnrCcGy4aGmRSICs8dYZ1+vsfWW aVze6ccjCOe0n6VUIlELNfOw2vn4A/P5BxkZUqxfkmb+8uorkK2ewwlwpWhdEPss OOyS7YDVmY0Z8/cdcEFzSB7pRY0SBYV7dDA22Vrl6RANAiDN83ZHY0p5hB00iqOt AtxHmPCHc9zzyWiyQdaRUcB6Z7AKdsWPxO9dbVaaA6dmB78ujd5+7hOLN0IWwAFs sZf6qMhNUUgAiAoqtEoO90bftbvFHshAvVf5yVC8JLoi8VWRiSHfli82TlwEjoFD O5Mk8mGHU5janXRMOfVi =I7C/ -----END PGP SIGNATURE-----
Current thread:
- Nginx ngx_http_close_connection function integer overflow - can anyone confirm this? Kurt Seifried (Apr 25)
- Re: Nginx ngx_http_close_connection function integer overflow - can anyone confirm this? Alistair Crooks (Apr 25)
- Re: Nginx ngx_http_close_connection function integer overflow - can anyone confirm this? Andrew Alexeev (Apr 26)
- Re: Nginx ngx_http_close_connection function integer overflow - can anyone confirm this? Alistair Crooks (Apr 25)