Jump to content
Nytro

nginx Integer Overflow

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

nginx Integer Overflow

Authored by Safe3 | Site safe3.com.cn

Qihoo 360 Web Security Research Team discovered a critical vulnerability in nginx. The vulnerability is caused by a integer overflow error within the Nginx ngx_http_close_connection function when r->count is less then 0 or more then 255, which could be exploited by remote attackers to compromise a vulnerable system via malicious http requests.

Website: http://safe3.com.cn

I. BACKGROUND
---------------------

Nginx is an HTTP and reverse proxy server, as well as a mail proxy server, written by Igor Sysoev. For a long time, it has been running on many heavily loaded Russian sites including Yandex, Mail.Ru, VKontakte, and Rambler. According to Netcraft nginx served or proxied 12.96% busiest sites in April 2013. Here are some of the success stories: Netflix, Wordpress.com, FastMail.FM.

II. DESCRIPTION
---------------------

Qihoo 360 Web Security Research Team discovered a critical vulnerability in nginx.

The vulnerability is caused by a int overflow error within the Nginx
ngx_http_close_connection function  when r->count is less then 0 or more then 255, which could be exploited
by remote attackers to compromise a vulnerable system via malicious http requests.

III. AFFECTED PRODUCTS
---------------------------

Nginx all latest version

IV. Exploits/PoCs
---------------------------------------

In-depth technical analysis of the vulnerability and a fully functional remote code execution exploit are available through the safe3q@gmail.com
In src\http\ngx_http_request_body.c ngx_http_discard_request_body function,we can make r->count++.

V. VUPEN Threat Protection Program
-----------------------------------

VI. SOLUTION
----------------

Validate the r->count input.

VII. CREDIT
--------------

This vulnerability was discovered by Safe3 of Qihoo 360.

VIII. ABOUT Qihoo 360
---------------------------

Qihoo 360 is the leading provider of defensive and offensive web cloud security of China.


IX. REFERENCES
----------------------
http://nginx.org/en/

Sursa: nginx Integer Overflow ? Packet Storm

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...