Bugtraq mailing list archives
Re: Nginx ngx_http_close_connection function integer overflow
From: Maxim Konovalov <maxim.konovalov () gmail com>
Date: Thu, 25 Apr 2013 21:51:45 +0400 (MSK)
Hello, On Thu, 25 Apr 2013, 06:52-0000, safe3q () gmail com wrote: [...]
II. DESCRIPTION --------------------- Qihoo 360 Web Security Research Team discovered a critical vulnerability in nginx. The vulnerability is caused by a int overflow error within the Nginx ngx_http_close_connection function when r->count is less then 0 or more then 255, which could be exploited by remote attackers to compromise a vulnerable system via malicious http requests. III. AFFECTED PRODUCTS --------------------------- Nginx all latest version IV. Exploits/PoCs --------------------------------------- In-depth technical analysis of the vulnerability and a fully functional remote code execution exploit are available through the safe3q () gmail com In src\http\ngx_http_request_body.c ngx_http_discard_request_body function,we can make r->count++.
We've done an initial investigation and don't see any problems with the code you mention. Could you please provide more details to security-alert () nginx org or to the list? Thanks in advance, Maxim Konovalov -- Maxim Konovalov
Current thread:
- Nginx ngx_http_close_connection function integer overflow safe3q (Apr 25)
- Re: Nginx ngx_http_close_connection function integer overflow Maxim Konovalov (Apr 29)
- Re: Nginx ngx_http_close_connection function integer overflow Maxim Konovalov (Apr 29)
- Re: Nginx ngx_http_close_connection function integer overflow Maxim Konovalov (Apr 29)