Re: Nginx ngx_http_close_connection function integer overflow

2013-05-04T00:00:00

Description

Hello, On Thu, 25 Apr 2013, 06:52-0000, safe3q@gmail.com wrote: [...] > II. DESCRIPTION > --------------------- > > Qihoo 360 Web Security Research Team discovered a critical vulnerability in nginx. > > The vulnerability is caused by a int overflow error within the Nginx > ngx_http_close_connection function when r->count is less then 0 or > more then 255, which could be exploited by remote attackers to > compromise a vulnerable system via malicious http requests. > > III. AFFECTED PRODUCTS > --------------------------- > > Nginx all latest version > > IV. Exploits/PoCs > --------------------------------------- > > In-depth technical analysis of the vulnerability and a fully > functional remote code execution exploit are available through the > safe3q@gmail.com In src\http\ngx_http_request_body.c > ngx_http_discard_request_body function,we can make r->count++. > We've done an initial investigation and don't see any problems with the code you mention. Could you please provide more details to security-alert@nginx.org or to the list? Thanks in advance, Maxim Konovalov -- Maxim Konovalov

{"id": "SECURITYVULNS:DOC:29303", "bulletinFamily": "software", "title": "Re: Nginx ngx_http_close_connection function integer overflow", "description": "\r\n\r\nHello,\r\n\r\nOn Thu, 25 Apr 2013, 06:52-0000, safe3q@gmail.com wrote:\r\n[...]\r\n> II. DESCRIPTION\r\n> ---------------------\r\n>\r\n> Qihoo 360 Web Security Research Team discovered a critical vulnerability in nginx.\r\n>\r\n> The vulnerability is caused by a int overflow error within the Nginx\r\n> ngx_http_close_connection function when r->count is less then 0 or\r\n> more then 255, which could be exploited by remote attackers to\r\n> compromise a vulnerable system via malicious http requests.\r\n>\r\n> III. AFFECTED PRODUCTS\r\n> ---------------------------\r\n>\r\n> Nginx all latest version\r\n>\r\n> IV. Exploits/PoCs\r\n> ---------------------------------------\r\n>\r\n> In-depth technical analysis of the vulnerability and a fully\r\n> functional remote code execution exploit are available through the\r\n> safe3q@gmail.com In src\http\ngx_http_request_body.c\r\n> ngx_http_discard_request_body function,we can make r->count++.\r\n>\r\nWe've done an initial investigation and don't see any problems with\r\nthe code you mention. Could you please provide more details to\r\nsecurity-alert@nginx.org or to the list?\r\n\r\nThanks in advance,\r\n\r\nMaxim Konovalov\r\n\r\n-- Maxim Konovalov\r\n", "published": "2013-05-04T00:00:00", "modified": "2013-05-04T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29303", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:47", "edition": 1, "viewCount": 16, "enchantments": {"score": {"value": 2.7, "vector": "NONE"}, "dependencies": {"references": []}, "backreferences": {"references": [{"type": "canvas", "idList": ["NGINX"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13034"]}]}, "exploitation": null, "vulnersScore": 2.7}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}