新闻资讯
   (今日关注·网络安全审查)新闻链接:为了咱们的网络安全,国家放过哪些大招?
   2017(第六届)中国信息化和工业化融合发展高峰论坛即将举办
   构建安全清朗的网络环境——我国网络社会治理能力持续提升
   (今日关注·网络安全审查)新闻链接:为了咱们的网络安全,国家放过哪些大招?
   万余网友吐槽360弹窗恐吓欺骗用户
   黑客组织要发动全球攻势
漏洞公告 
   记事狗微博二次注射漏洞
   苹果再遇数据安全挑战 黑客目标直指用户ID
   nginx爆整数溢出漏洞
   日媒:朝鲜培育数千名“黑客精英” 加强“网络攻击”
   谷歌举办黑客大会探讨谷歌眼镜特性
   分享黑客最常利用的那些漏洞
您的位置: 首页 >> 新闻资讯/漏洞公告
详细内容
nginx爆整数溢出漏洞
2013-5-9 9:10:38  

奇虎360安全研究团队近日发现了nginx的一个严重漏洞,该漏洞存在于nginx的ngx_http_close_connection函数,攻击者可以构造r->count小于0或大于255恶意HTTP请求,该漏洞可能会远程执行任意代码,据360透露,目前影响nginx所有版本。

原文如下:

Website: http://safe3.com.cn

I. BACKGROUND
---------------------

Nginx is an HTTP and reverse proxy server, as well as a mail proxy server, written by Igor Sysoev. For a long time, it has been running on many heavily loaded Russian sites including Yandex, Mail.Ru, VKontakte, and Rambler. According to Netcraft nginx served or proxied 12.96% busiest sites in April 2013. Here are some of the success stories: Netflix, WordPress.com, FastMail.FM.

II. DESCRIPTION
---------------------

Qihoo 360 Web Security Research Team discovered a critical vulnerability in nginx.

The vulnerability is caused by a int overflow error within the Nginx
ngx_http_close_connection function when r->count is less then 0 or more then 255, which could be exploited
by remote attackers to compromise a vulnerable system via malicious http requests.

III. AFFECTED PRODUCTS
---------------------------

Nginx all latest version

IV. Exploits/PoCs
---------------------------------------

In-depth technical analysis of the vulnerability and a fully functional remote code execution exploit are available through the safe3q (at) gmail (dot) com [email concealed]
In src\http\ngx_http_request_body.c ngx_http_discard_request_body function,we can make r->count++.

V. VUPEN Threat Protection Program
-----------------------------------

VI. SOLUTION
----------------

Validate the r->count input.

VII. CREDIT
--------------

This vulnerability was discovered by Safe3 of Qihoo 360.

VIII. ABOUT Qihoo 360
---------------------------

Qihoo 360 is the leading provider of defensive and offensive web cloud security of China.

IX. REFERENCES
----------------------

http://nginx.org/en/

source http://packetstormsecurity.com/files/121416/nginx-intoverflow.txt