Nginx potentially leaking real filenames? (hopefully properly formatted)
Marcin Wanat
marcin.wanat at gmail.com
Thu Jun 18 15:19:06 UTC 2020
On Thu, Jun 18, 2020 at 5:04 PM lists <lists at lazygranch.com> wrote:
> In theory not a problem, but look at the text on this page about placing
> root in location blocks.
>
> https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
>
> I saw your first post and thought it was entertaining. Somebody needs to
> annoy those hackers. Since I don't use php I trap those requests in a map
> and return a 444. That way I can use some scripts and pull the hacker IPs
> out of the log file. If they come from a server, the IP space of that host
> gets blocked. There are no eyeballs at servers. But I do like the idea of
> feeding the hacker something unpleasant.
>
>
If you have enough resources you can send them a 200 OK response with 10MB
html file with an enormous DOM tree using chunked transfer and no
content-length header. They will lost huge amount of resources to download
and parse this (probably multiple times).
On Thu, Jun 18, 2020 at 5:04 PM lists <lists at lazygranch.com> wrote:
> In theory not a problem, but look at the text on this page about placing
> root in location blocks.
>
> https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
>
> I saw your first post and thought it was entertaining. Somebody needs to
> annoy those hackers. Since I don't use php I trap those requests in a map
> and return a 444. That way I can use some scripts and pull the hacker IPs
> out of the log file. If they come from a server, the IP space of that host
> gets blocked. There are no eyeballs at servers. But I do like the idea of
> feeding the hacker something unpleasant.
>
>
>
>
>
> Original Message
>
>
> From: pizwer88 at wp.pl
> Sent: June 18, 2020 4:08 AM
> To: nginx at nginx.org
> Reply-to: nginx at nginx.org
> Subject: Nginx potentially leaking real filenames? (hopefully properly
> formatted)
>
>
> Hi,
>
> I am experimenting with various ways of annoying bots and automated
> vulnerability scanners that reach my service. In one instance I am
> serving a recursive decompression bomb for all requests for .php files.
> Since none of my services run PHP, and never have, all such traffic can
> be safely assumed malicious.
> Recently (a couple of months since first deployment) I started seeing
> repeated requests to the server trying to fetch the recursive
> decompression bomb by its real file name, which should have never been
> exposed anywhere.
>
> Is it possible for nginx to leak the real file name? Through
> misconfiguration or other means?
>
> I am using nginx (version 1.14.2-2+deb10u1) as a reverse proxy and for
> SSL termination.
> The custom application behind it is not aware of the existence of the
> decompression bomb and lives in its own completely separate directory
> tree. It never reads nor serves any files from the local server, all its
> data is in physically separate database and cache servers. While I
> cannot prove absence of vulnerabilities in this custom app, I have not
> found any evidence of it being used to (nor leaking) local directory
> contents.
> The decompression bomb does not contain its file name in its contents.
>
> Given the above, I believe something in my nginx setup leaked the real
> file name of the decompression bomb.
> I've tried using all request methods (GET, HEAD, PUT, POST, DELETE,
> CONNECT, OPTIONS, TRACE, PATCH) on the server from curl like following:
> $ curl --verbose -X <method> <redacted>.com/index.php
> and (as expected) none of the responses leaked the file name in any of
> the headers nor contents.
>
> Below is a redacted and inlined version of my nginx configuration. There
> is only one server defined, the Debian default server config has been
> removed. The error code mapping is there to avoid triggering high error
> rate alerts when hit by hundreds of consecutive bot requests.
> I would appreciate any help in figuring out what I am doing wrong and
> how could the <redacted-payload-filename> have been leaked?
>
> Thanks,
> Pizab
>
> # nginx.conf
> http {
> sendfile on;
> tcp_nopush on;
> tcp_nodelay on;
> keepalive_timeout 165;
> types_hash_max_size 2048;
>
> include /etc/nginx/mime.types;
> default_type application/octet-stream;
>
> limit_req_zone "php" zone=attackzone:10m rate=1r/s;
>
> ssl_certificate <redacted>;
> ssl_certificate_key <redacted>;
> ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
> ssl_session_cache shared:SSL:10m;
> ssl_session_timeout 10m;
>
> server_tokens off;
>
> access_log /var/log/nginx/access.log;
> error_log /var/log/nginx/error.log;
>
> client_body_buffer_size 1M;
>
> server {
> listen 443 default_server ssl;
> listen 80;
>
> server_name <redacted>.com;
> rewrite_log on;
>
> location /.well-known/acme-challenge {
> alias /var/www/html/.well-known/acme-challenge;
> }
>
> location / {
> access_log /<redacted>/logs/nginx_access.log;
> proxy_set_header Host $http_host;
> proxy_redirect off;
> proxy_connect_timeout 60;
> proxy_read_timeout 160;
> proxy_pass http://localhost:10000;
> }
>
> error_page 429 =229 /error429;
>
> location ~ \.php$ {
> limit_rate_after 1k;
> limit_rate 2k;
> limit_req zone=attackzone burst=2;
> limit_req_status 429;
> keepalive_timeout 0;
> root /var/www/html/<redacted>/;
> default_type "application/xml";
> add_header Content-Encoding "br";
> try_files /<redacted-payload-filename> =400;
> }
>
> location = /error429 {
> return 229 "Too many requests.";
> }
> }
> }
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20200618/cd253b34/attachment-0001.htm>
More information about the nginx
mailing list