CVE-2 0 1 3-4 5 4 7 Nginx parsing vulnerability in-depth use and analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201447336
Type myhack58
Reporter 佚名
Modified 2014-05-21T00:00:00


0x00 background

Nginx historically there have been many times parsing vulnerability, such as 80sec found parsing vulnerability, as well as the extension directly after add%0 0 truncation lead to code execution resolves vulnerabilities.

But in 2 0 1 3 year-end, nginx again broke Vulnerability, CVE-2 0 1 3-4 5 4 7 this vulnerability can lead to a directory across and code execution, which affected version: nginx 0.8.41 – 1.5.6, the range is wide.

For more in-depth understanding of the vulnerability generated by the reason, the author according to the official patch of<> for this vulnerability for further analysis,

0x01 vulnerabilities Shuo source

  1. From the official patch can be seen in nginx in ngx_http_parse_request_line function to do a code patch, download the nginx source code, locate the patch file for ngx_http_parse. c, function ngx_http_parse_request_line, respectively, located in the code segment:

Whereby the positioning of this vulnerability requires analysis of the point, enable gdb debugging, the break point is set to ngx_http_parse_request_line, the

And watch variable state and p, because this function is a state machine, the state for the state value, p is a pointer to the specified text log, it will be the vulnerability to trigger a key point.

The commissioning process need to keep track of nginx worker sub-processes, so the need to set setfollow-fork-mode child, and in the appropriate place to set a breakpoint,

! enter image description here

Figure-1 Follow-up sub-process

  1. Are sent to normal and the attack statement for testing:

Normal statement:

Attack statements: non-coding spaces\0.php

Use normal sentence has the s-or n-track, will find in the url of the parsing process, when a path exists’.’ Or url the presence of’\0’will have the following treatment:

case sw_check_uri: ...... case '.': r->complex_uri = 1; //This as a flag determines the use of ngx_http_parse_complex_uri method, path repair state = sw_uri; break; casesw_check_uri: ...... case '\0': //when it encounters the\0 that will be determined to be illegal characters return NGX_HTTP_PARSE_INVALID_REQUEST;

But in checking the uri with spaces is entered into sw_check_uri_http_09 logic, then when we send the attack code, The execution flow will be as follows:

! enter image description here

Figure-2 \0 does not trigger an exception

Then back to the sw_check_uri state, 此时后面的字符串为.php and“.” Will be to is the uri of the extension of the separator

[1] [2] [3] next