lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.BSF.2.00.1304252147440.85130@mp2.macomnet.net> Date: Thu, 25 Apr 2013 21:51:45 +0400 (MSK) From: Maxim Konovalov <maxim.konovalov@...il.com> To: safe3q@...il.com cc: bugtraq@...urityfocus.com, security-alert@...nx.org Subject: Re: Nginx ngx_http_close_connection function integer overflow Hello, On Thu, 25 Apr 2013, 06:52-0000, safe3q@...il.com wrote: [...] > II. DESCRIPTION > --------------------- > > Qihoo 360 Web Security Research Team discovered a critical vulnerability in nginx. > > The vulnerability is caused by a int overflow error within the Nginx > ngx_http_close_connection function when r->count is less then 0 or > more then 255, which could be exploited by remote attackers to > compromise a vulnerable system via malicious http requests. > > III. AFFECTED PRODUCTS > --------------------------- > > Nginx all latest version > > IV. Exploits/PoCs > --------------------------------------- > > In-depth technical analysis of the vulnerability and a fully > functional remote code execution exploit are available through the > safe3q@...il.com In src\http\ngx_http_request_body.c > ngx_http_discard_request_body function,we can make r->count++. > We've done an initial investigation and don't see any problems with the code you mention. Could you please provide more details to security-alert@...nx.org or to the list? Thanks in advance, Maxim Konovalov -- Maxim Konovalov
Powered by blists - more mailing lists