[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Nginx ngx_http_close_connection function integer overflow


On Thu, 25 Apr 2013, 06:52-0000, safe3q@xxxxxxxxx wrote:
> ---------------------
> Qihoo 360 Web Security Research Team discovered a critical vulnerability in nginx.
> The vulnerability is caused by a int overflow error within the Nginx
> ngx_http_close_connection function when r->count is less then 0 or
> more then 255, which could be exploited by remote attackers to
> compromise a vulnerable system via malicious http requests.
> ---------------------------
> Nginx all latest version
> IV. Exploits/PoCs
> ---------------------------------------
> In-depth technical analysis of the vulnerability and a fully
> functional remote code execution exploit are available through the
> safe3q@xxxxxxxxx In src\http\ngx_http_request_body.c
> ngx_http_discard_request_body function,we can make r->count++.
We've done an initial investigation and don't see any problems with
the code you mention.  Could you please provide more details to
security-alert@xxxxxxxxx or to the list?

Thanks in advance,

Maxim Konovalov

Maxim Konovalov