Nginx Vulnerability on FreeBSD

Peter Chen peterchencs at gmail.com
Tue Jan 5 05:30:32 UTC 2016


Hi,

I am trying to do a security research experiment on FreeBSD.
I try to test the Nginx Vulnerability CVE-2013-2028 on FreeBSD 10.1 x86-64,
with Nginx 1.3.9/1.4.0.
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2028)

However, most exploit samples can succeed on Linux, but not FreeBSD.
The basic idea for the exploit, is to send a packet with a very large chunk
size, making the victim process stack-overflow. After Nginx's many crashes,
the attacker can find enough gadgets to launch a return-oriented
programming attack.

However, it is hard to let Nginx worker process crash (due to overwritten
return address) on FreeBSD. Process crash is the first step of the whole
exploit. I do the experiment on both local and remote (LAN) machines.

This exploit requires:
-----------------------------------------------------------------
This also includes an IP fragmentation router to make the attack possible
on WANs. Nginx does a non-blocking read on a 4096 byte buffer, and typical
MTUs are 1500, so IP fragmentation is needed to deliver a large TCP segment
that will result in a single read of over 4096 bytes.
------------------------------------------------------------------

Any comments/suggestions on this, just to make the victim process crash?

Here are two exploit code examples, which can run against Linux target, but
fail to make the Nginx worker process crash on FreeBSD:

http://www.scs.stanford.edu/brop/
http://www.scs.stanford.edu/brop/nginx-1.4.0-exp.tgz

https://www.exploit-db.com/docs/27074.pdf
http://seclists.org/fulldisclosure/2013/Jul/att-90/ngxunlock_pl.bin


Thanks very much for your time!!

Best,
Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20160105/b0e84905/attachment.html>


More information about the nginx-devel mailing list