Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 25 Apr 2013 23:36:17 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Open Source Security <oss-security@...ts.openwall.com>, gremlin@...mlin.ru
Subject: Nginx ngx_http_close_connection function integer overflow - can anyone
 confirm this?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- From Bugtraq:

http://www.securityfocus.com/archive/1/526439/30/0/threaded

Website: http://safe3.com.cn

I. BACKGROUND
- ---------------------

Nginx is an HTTP and reverse proxy server, as well as a mail proxy
server, written by Igor Sysoev. For a long time, it has been running
on many heavily loaded Russian sites including Yandex, Mail.Ru,
VKontakte, and Rambler. According to Netcraft nginx served or proxied
12.96% busiest sites in April 2013. Here are some of the success
stories: Netflix, Wordpress.com, FastMail.FM.

II. DESCRIPTION
- ---------------------

Qihoo 360 Web Security Research Team discovered a critical
vulnerability in nginx.

The vulnerability is caused by a int overflow error within the Nginx
ngx_http_close_connection function when r->count is less then 0 or
more then 255, which could be exploited
by remote attackers to compromise a vulnerable system via malicious
http requests.

III. AFFECTED PRODUCTS
- ---------------------------

Nginx all latest version

IV. Exploits/PoCs
- ---------------------------------------

In-depth technical analysis of the vulnerability and a fully
functional remote code execution exploit are available through the
safe3q (at) gmail (dot) com [email concealed]
In src\http\ngx_http_request_body.c ngx_http_discard_request_body
function,we can make r->count++.

V. VUPEN Threat Protection Program
- -----------------------------------

VI. SOLUTION
- ----------------

Validate the r->count input.

VII. CREDIT
- --------------

This vulnerability was discovered by Safe3 of Qihoo 360.

VIII. ABOUT Qihoo 360
- ---------------------------

Qihoo 360 is the leading provider of defensive and offensive web cloud
security of China.

IX. REFERENCES
- ----------------------
http://nginx.org/en/

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRehJQAAoJEBYNRVNeJnmTC8oP/1ueYNmvM+qx+60uYkB3+zzc
zlV3w7ejZ09rXtV3Tl4x/znxSSai82E08I32Xgpx30E2fYpVjNhj9prJwWU8pZtp
+pIGos9ZdEulmexn9A1snFgzjbF1foECpBPuSu8b1VZE7WjEBS3E0LWQg/UwC4cp
AkvG8MGBJclg0HD+GzJVG9vVpOLeyDUyaqWV+6+nBNneqUo5dZRaLDm3iPEt2pDX
9wLMA0Ov0xKnhpzzcoca91IkES05p179feqoBH1CrF9sTCM0grj85JVyd3oyFFUB
Espl6+OR2Tci1ckay5B0u00oRuYmaIOKCp4Njt0jBe0Kr8dFyTnCRZKTFQvumuTs
GykmOesRxlTP6KEAypBxigVPuvp0rnnGKr3OJUnrCcGy4aGmRSICs8dYZ1+vsfWW
aVze6ccjCOe0n6VUIlELNfOw2vn4A/P5BxkZUqxfkmb+8uorkK2ewwlwpWhdEPss
OOyS7YDVmY0Z8/cdcEFzSB7pRY0SBYV7dDA22Vrl6RANAiDN83ZHY0p5hB00iqOt
AtxHmPCHc9zzyWiyQdaRUcB6Z7AKdsWPxO9dbVaaA6dmB78ujd5+7hOLN0IWwAFs
sZf6qMhNUUgAiAoqtEoO90bftbvFHshAvVf5yVC8JLoi8VWRiSHfli82TlwEjoFD
O5Mk8mGHU5janXRMOfVi
=I7C/
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.