[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Nginx ngx_http_close_connection function integer overflow
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Nginx ngx_http_close_connection function integer overflow
- From: safe3q@xxxxxxxxx
- Date: Thu, 25 Apr 2013 06:52:19 GMT
Website: http://safe3.com.cn
I. BACKGROUND
---------------------
Nginx is an HTTP and reverse proxy server, as well as a mail proxy server,
written by Igor Sysoev. For a long time, it has been running on many heavily
loaded Russian sites including Yandex, Mail.Ru, VKontakte, and Rambler.
According to Netcraft nginx served or proxied 12.96% busiest sites in April
2013. Here are some of the success stories: Netflix, Wordpress.com, FastMail.FM.
II. DESCRIPTION
---------------------
Qihoo 360 Web Security Research Team discovered a critical vulnerability in
nginx.
The vulnerability is caused by a int overflow error within the Nginx
ngx_http_close_connection function when r->count is less then 0 or more then
255, which could be exploited
by remote attackers to compromise a vulnerable system via malicious http
requests.
III. AFFECTED PRODUCTS
---------------------------
Nginx all latest version
IV. Exploits/PoCs
---------------------------------------
In-depth technical analysis of the vulnerability and a fully functional remote
code execution exploit are available through the safe3q@xxxxxxxxx
In src\http\ngx_http_request_body.c ngx_http_discard_request_body function,we
can make r->count++.
V. VUPEN Threat Protection Program
-----------------------------------
VI. SOLUTION
----------------
Validate the r->count input.
VII. CREDIT
--------------
This vulnerability was discovered by Safe3 of Qihoo 360.
VIII. ABOUT Qihoo 360
---------------------------
Qihoo 360 is the leading provider of defensive and offensive web cloud security
of China.
IX. REFERENCES
----------------------
http://nginx.org/en/