Re: Nginx ngx_http_close_connection function integer overflow


Hello, On Thu, 25 Apr 2013, 06:52-0000, safe3q@gmail.com wrote: [...] > II. DESCRIPTION > --------------------- > > Qihoo 360 Web Security Research Team discovered a critical vulnerability in nginx. > > The vulnerability is caused by a int overflow error within the Nginx > ngx_http_close_connection function when r->count is less then 0 or > more then 255, which could be exploited by remote attackers to > compromise a vulnerable system via malicious http requests. > > III. AFFECTED PRODUCTS > --------------------------- > > Nginx all latest version > > IV. Exploits/PoCs > --------------------------------------- > > In-depth technical analysis of the vulnerability and a fully > functional remote code execution exploit are available through the > safe3q@gmail.com In src\http\ngx_http_request_body.c > ngx_http_discard_request_body function,we can make r->count++. > We've done an initial investigation and don't see any problems with the code you mention. Could you please provide more details to security-alert@nginx.org or to the list? Thanks in advance, Maxim Konovalov -- Maxim Konovalov