Nginx Vulnerability on FreeBSD
Peter Chen
peterchencs at gmail.com
Tue Jan 5 05:14:29 UTC 2016
Hi,
I am trying to do a security research experiment on FreeBSD.
I try to test the Nginx Vulnerability CVE-2013-2028 on FreeBSD x86-64, with
Nginx 1.3.9/1.4.0.
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2028)
However, most exploit samples can succeed on Linux, but not FreeBSD.
The basic idea for the exploit, is to send a packet with a very large chunk
size, making the victim process stack-overflow. After Nginx's many crashes,
the attacker can find enough gadgets to launch a return-oriented
programming attack.
However, it is hard to let Nginx worker process crash (due to overwritten
return address) on FreeBSD. Process crash is the first step of the whole
exploit.
I guess (probably a wrong guess) the reason may be: the exploit needs to
set MTU to a large value. But FreeBSD seems only to allows a max MTU of
16110.
It is probably because of other reasons. Any comments/suggestions on this,
just to make the victim process crash?
Here are two exploit code examples, which can run against Linux target, but
fail to make the Nginx worker process crash on FreeBSD:
http://www.scs.stanford.edu/brop/
http://www.scs.stanford.edu/brop/nginx-1.4.0-exp.tgz
https://www.exploit-db.com/docs/27074.pdf
http://seclists.org/fulldisclosure/2013/Jul/att-90/ngxunlock_pl.bin
Thanks!!
Best,
Peter
More information about the freebsd-hackers
mailing list