Buffer Overflow Exploit found in Nginx Server 1.3.9-1.4.0
Earlier this month Nginx disclosed that there was a buffer exploit vulnerability in some versions of their product. Recently, Metasploit released an exploit module for the vulnerability.
Nginx, the ever popular opensource HTTP Server and Proxy publicly disclosed that a Buffer Overflow was discovered in versions 1.3.9 – 1.4.0. According to Shodan there are almost 3 million servers on the web that use Nginx with almost 12,000 running the affected versions.
A notification from Nginx stated that a specially crafted request could trigger a stack-based buffer overflow:
The exploit released by Metasploit can take advantage of the overflow to run a payload that could include a remote shell:
This module exploits a stack buffer overflow in versions 1.3.9 to 1.4.0 of nginx. The exploit first triggers an integer overflow in the ngx_http_parse_chunked() by supplying an overly long hex value as chunked block size. This value is later used when determining the number of bytes to read into a stack buffer, thus the overflow becomes possible.
The issue has been fixed in Nginx 1.4.1 & 1.5.0 and a patch is available (see Nginx announcement above).
~ by D. Dieterle on May 28, 2013.