[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.BSF.2.00.1304252147440.85130@mp2.macomnet.net>
Date: Thu, 25 Apr 2013 21:51:45 +0400 (MSK)
From: Maxim Konovalov <maxim.konovalov@...il.com>
To: safe3q@...il.com
cc: bugtraq@...urityfocus.com, security-alert@...nx.org
Subject: Re: Nginx ngx_http_close_connection function integer overflow
Hello,
On Thu, 25 Apr 2013, 06:52-0000, safe3q@...il.com wrote:
[...]
> II. DESCRIPTION
> ---------------------
>
> Qihoo 360 Web Security Research Team discovered a critical vulnerability in nginx.
>
> The vulnerability is caused by a int overflow error within the Nginx
> ngx_http_close_connection function when r->count is less then 0 or
> more then 255, which could be exploited by remote attackers to
> compromise a vulnerable system via malicious http requests.
>
> III. AFFECTED PRODUCTS
> ---------------------------
>
> Nginx all latest version
>
> IV. Exploits/PoCs
> ---------------------------------------
>
> In-depth technical analysis of the vulnerability and a fully
> functional remote code execution exploit are available through the
> safe3q@...il.com In src\http\ngx_http_request_body.c
> ngx_http_discard_request_body function,we can make r->count++.
>
We've done an initial investigation and don't see any problems with
the code you mention. Could you please provide more details to
security-alert@...nx.org or to the list?
Thanks in advance,
Maxim Konovalov
--
Maxim Konovalov
Powered by blists - more mailing lists