Nginx 1.18.0 Exploit
Avery Blaschko
My guess is what is happening is they are verifying an active server accepting requests and then dumping the characters (from the following exploit: ) onto the open TCP/IP connection which causes it to crash/stop responding.
Found this payload here, which is a shock attack. This is about the worst thing that can happen to you -- attacker gets a shell on your nginx box, then from there has access to your internal network (which is far worse than the crashing that you experienced). Who knows how much further he has penetrated. Is your TLS private key on the nginx box? If so, attacker should have gotten access to it.
The #1 thing you need to do is upgrade to the latest version of nginx. You should then change your passwords on the nginx box, and inspect all your other internal systems that are accessible from the nginx box.
The nginx should never crash on any request. If the latest versions still crashes then see if that issue has already been reported. If it has not then report the issue yourself. If it has then track the discussion and see when it will be resolved.
Fortunately I remembered that lua scripting is sometimes supported in nginx, so we might be able to use that. With a bit of help from ChatGPT on the exact syntax of what to use, I was able to get a working PoC.
Due to the lack of DNS spoofing mitigations in nginx and the fact that the vulnerable function is called before checking the DNS Transaction ID, remote attackers might be able to exploit this vulnerability by flooding the victim server with poisoned DNS responses in a feasible amount of time.
Given the rich interaction opportunities in nginx with user controller data and the documented precedents this bug is considered exploitable for remote code execution on some operating systems and architectures.
This section of the research focuses on the exploitable vulnerabilities arising from pathname manipulation in web servers, principally about the use of trim() or strip() functions. By exploiting these techniques, attackers can circumvent security rules specific to certain paths in reverse proxies and load balancers, posing a significant threat to web application security.
In the above example, if a request contains a SQL Injection payload in the X-Query header, AWS WAF recognizes the SQL Injection attempt and responds with a 403 Forbidden HTTP status code. This prevents the request from being forwarded to the backend, effectively blocking any potential exploitation of the application's database through SQL Injection attacks.
Upon discovering the presence of an SSRF vulnerability in Flask, I delved into exploring how this behavior could be exploited in other frameworks. As my research progressed, it became apparent that Spring Boot is also susceptible to this particular issue.
The proof of concept video demonstrates the exploitation of this vulnerability in an outdated Varnish cache server. It is important to note that newer versions of Varnish are not susceptible to this vulnerability:
In conclusion, this research delved into the realm of security vulnerabilities in web applications, specifically focusing on HTTP parsers and the implications they can have on overall security. By exploring inconsistencies in HTTP parsers across various technologies, such as load balancers, reverse proxies, web servers, and caching servers, I unveiled potential avenues for exploitation.
Designated as CVE-2019-11043, the vulnerability affects websites running on NGINX web servers enabled with the Hypertext Preprocessor FastCGI Process Manager (PHP-FPM). The vulnerability is related to a lack of checks on the configurations of NGINX and PHP-FPM. Under certain conditions, the vulnerability can be exploited to achieve remote code execution.
The length of the URI should be about 2,000 bytes, making path_info point exactly to the first byte of the _fcgi_data_seg structure. FCGI_PUTENV function will overwrite the variables with a script path. An arbitrary PHP_VALUE fcgi variable can be created, enabling an attacker to have access for remote code execution. The vulnerable server can be exploited by sending a crafted HTTP GET request with code to be injected ("$_GET[a]`?>") immediately after the newline character (%0A).
Threat intelligence firm Bad Packets told ZDNet that the vulnerability is already being exploited in the wild to hijack servers. There is, in fact, a working exploit released as a proof of concept (PoC) in Github. The PoC queries a web server and checks if it is vulnerable. Once verified to be vulnerable, hackers can send especially crafted requests by appending characters in the URL of the web server.
This vulnerability has been rated critical since the exploit is considered simple, achieves persistence once abused, is limited to affecting a certain type of configurations, and authentication is not required. Successfully exploiting CVE-2019-11043 can lead to RCE. In this case, it can allow hackers and threat actors to take over a PHP-written or -supported web application and its web server. This allows attackers to steal, delete, add, or overwrite content, embed them with malware, or use them as doorways into other systems or servers connected to it.
We have recently installed the qlik sense product in our infrastructure to exploit data and information we have. Currently, the access you have for both the Hub and the QMC is through the name of the machine where it is installed: qlik.mydomain.com/hub or qlik.mydomain.com/qmc
My question is if Qlik Sense can be configured so that instead of accessing by servername, it can be accessed through a published URL and that it goes through our reverse nginx for example
In nginx we have many applications published in /apps path.
Nginx web server packaging on Debian-based distributions such as Debian or Ubuntu was found to create log directories with insecure permissions which can be exploited by malicious local attackers to escalate their privileges from nginx/web user (www-data) to root. The vulnerability could be easily exploited by attackers who have managed to compromise a web application hosted on Nginx server and gained access to www-data account as it would allow them to escalate their privileges further to root access and fully compromise the system. This is fixed in 1.6.2-5+deb8u3 package on Debian and 1.10.0-0ubuntu0.16.04.3 on Ubuntu 16.04 LTS. UPDATE 2017/01/13 - nginx packages below version 1.10.2-r3 on Gentoo are also affected.
In general, if a framework doesn't require you to specify the URL it's running on (like Laravel's APP_URL), it's vulnerable. Note that being vulnerable means that the exploit may succeed, but not necessarily that the attacker might be able to achieve anything with it. Still, you should ensure you always whitelist the expected domains for your app, either via Nginx or an app-level setting like a custom middleware.
Unfortunately the script still creates (hardcodes) the permission of /etc/shadow to 0600
so despite adding nginx to the shadow group, it cannot access /etc/shadow, so the problem and workaround in the OP remains in 20.09
When I run nginx directly from the command line, it does not crash when accessing a location with auth_pam
But the exact same configuration but started with systemctl will crash the nginx work processes.
The vulnerabilities, tracked as CVE-2023-5043, CVE-2023-5044 and CVE-2022-4886, were disclosed on October 27, and are listed as currently awaiting triage. It's unclear if any of the flaws have been exploited.
The first two, CVE-2023-5043 and CVE-2023-5044, are both due to improper input validation and can be exploited to inject arbitrary code, obtain high-level credentials and steal all secrets from the cluster. Both are rated "high" severity bugs," received CVSS ratings of 7.6 out of 10, and affect versions 1.9.0 and earlier.
To mitigate both issues, the Kubernetes Security Response Committee's CJ Cullen recommends that ingress admins "set the --enable-annotation-validation flag to enforce restrictions on the contents of ingress-nginx annotation fields."
The third issue, CVE-2022-4886, received an 8.8 CVSS severity score. If someone can create or update ingress objects, they can exploit this bug to obtain Kubernetes API credentials from the ingress controller, and then use that access to steal all secrets in the cluster. It affects versions 1.8.0 and earlier.
The highest severity potential attack scenario involving one of these vulnerabilities is an LDAP injection exploit that allows a threat actor to bypass authentication and access restricted resources that are proxied through an NGINX server.
I settled on using NGINX's Lua scripting capabilities. It seemed like the right choice because it gets you as close to the webserver as possible but frees you from the limitations of NGINX's config language. It's available in the nginx-extras package on any debian derived system like Ubuntu or Mint.
After opening the .exe file in IDA Free, I saw that the binary was compiled with Mingw. From what I googled, none of the protections like DEP/NX are enabled by default when compiling with mingw so that should make exploitation easier.
The exploit uses the same JMP EAX gadget to jump to the beginning of the buffer. Then we align the stack, and set EAX past the buffer and we push it to the stack: this will contain the address of the string of our SMB server. Finally we move the address of LoadLibrary into EBX then CALL EBX to call the function. The filename argument for LoadLibrary is popped from the stack and the DLL is then loaded.
Nginx, a versatile web server pivotal to numerous internet infrastructures, has held a dominant market share since its inception in 2004, with widespread adoption across websites and Docker containers. This article delves into the intricacies of Nginx, focusing on the location and alias directives that are central to how Nginx handles specific URLs. We also explore potential vulnerabilities arising from misconfigurations and demonstrate how they can lead to security exploits, drawing on research presented at the BlackHat 2018 conference by Orange Tsai.
08ab062aa8