Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Nginx ngx_http_close_connection function integer overflow
From: Maxim Konovalov <maxim.konovalov () gmail com>
Date: Thu, 25 Apr 2013 21:51:45 +0400 (MSK)

Hello,

On Thu, 25 Apr 2013, 06:52-0000, safe3q () gmail com wrote:
[...]
II. DESCRIPTION
---------------------

Qihoo 360 Web Security Research Team discovered a critical vulnerability in nginx.

The vulnerability is caused by a int overflow error within the Nginx
ngx_http_close_connection function when r->count is less then 0 or
more then 255, which could be exploited by remote attackers to
compromise a vulnerable system via malicious http requests.

III. AFFECTED PRODUCTS
---------------------------

Nginx all latest version

IV. Exploits/PoCs
---------------------------------------

In-depth technical analysis of the vulnerability and a fully
functional remote code execution exploit are available through the
safe3q () gmail com In src\http\ngx_http_request_body.c
ngx_http_discard_request_body function,we can make r->count++.

We've done an initial investigation and don't see any problems with
the code you mention.  Could you please provide more details to
security-alert () nginx org or to the list?

Thanks in advance,

Maxim Konovalov

-- 
Maxim Konovalov


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]