Has anyone seen this nginx integer overflow vulnerability?

doughmanes

Caught this on a few security websites... anyone seen something similar?

However, "Qihoo 360 is the leading provider of defensive and offensive web cloud security of China."

Snake oil salesman?

-- copy/paste

Website: http://safe3.com.cn

I. BACKGROUND

Nginx is an HTTP and reverse proxy server, as well as a mail proxy server, written by Igor Sysoev. For a long time, it has been running on many heavily loaded Russian sites including Yandex, Mail.Ru, VKontakte, and Rambler. According to Netcraft nginx served or proxied 12.96% busiest sites in April 2013. Here are some of the success stories: Netflix, Wordpress.com, FastMail.FM.

II. DESCRIPTION

Qihoo 360 Web Security Research Team discovered a critical vulnerability in nginx.

The vulnerability is caused by a int overflow error within the Nginx
ngx_http_close_connection function when r->count is less then 0 or more then 255, which could be exploited
by remote attackers to compromise a vulnerable system via malicious http requests.

III. AFFECTED PRODUCTS

Nginx all latest version

IV. Exploits/PoCs

In-depth technical analysis of the vulnerability and a fully functional remote code execution exploit are available through the [email protected]
In src\http\ngx_http_request_body.c ngx_http_discard_request_body function,we can make r->count++.

V. VUPEN Threat Protection Program

VI. SOLUTION

Validate the r->count input.

VII. CREDIT

This vulnerability was discovered by Safe3 of Qihoo 360.

VIII. ABOUT Qihoo 360

Qihoo 360 is the leading provider of defensive and offensive web cloud security of China.

IX. REFERENCES

http://nginx.org/en/

Wintereise

@doughmanes said: Validate the r->count input.

Where is the patch if they've really tracked it down enough to say that?

craigb

From: Andrew Alexeev andrew@nginx.com
To: [email protected]
Subject: Re: [oss-security] Nginx ngx_http_close_connection function integer overflow - can anyone confirm this?

>

...snip...

>
Unfortunately we weren't approached by "Qihoo 360 Web Security ResearchTeam"
before this publication went out through bugtraq.
>
We are now trying to obtain more information from that team without much success.
>
We've also analyzed their report and we can't conclude this is a real vulnerability yet from the descriptions provided it still looks like it's somewhat spurious.
>
We are trying to continue investigation though.
>
Regrettably responsible disclosure isn't always the case. However, we can't yet confirm it's a full one either.

vedran

safe3.com.cn doesn't look very reputable to me

doughmanes

@Wintereise said: Where is the patch if they've really tracked it down enough to say that?

I know if you guys can patch the thank button code in Vanilla that somebody here can verify/deny the snakeoil salesman claim

"Defensive and Offensive Cloud Security" was interesting. Offensive, like flatulence?

Janevski

http://nginx.org/en/security_advisories.html

cynix

Qihoo is notorious in China for producing "cloud security software" that's basically borderline malware.

DewlanceVPS

We do not use nginx..

VictorZhang

@cynix said: Qihoo is notorious in China for producing "cloud security software" that's basically borderline malware.

I agree.

HalfEatenPie

@DewlanceVPS said: We do not use nginx..

This has nothing to do with what they're talking about.

AstroProfundis

Qihoo 360 is sh*t, no comment on the nginx issue for I'm not an expert for it.

Rallias

Wouldn't be surprised if it was a bad compiler.

yomero

@HalfEatenPie said: This has nothing to do with what they're talking about.

Is dewlance... you know... ¬¬

@Rallias said: Wouldn't be surprised if it was a bad compiler.

True, sometimes that happens :S

doughmanes

@Zen said: They did tell you how to test it. I am surprised no one has, I will probably get around to it soon

Thats what I was waiting for considering the popularity of nginx on this forum