HI, There:

I try to exploit this bug in an attempt to do something nasty :-).
However, the more I dig into it, the more I get confused.

As far as I know, one necessary conditional to trigger the problem
is that range-filter kicks in, and range-filter is called if and *ONLY*
if (FIXME):

1) Nginx serves static file.

2) Nginx serves as a reverse-proxy *with* cache capability, and the
resource being accessed is *cache-able*. In this case, the proxy will
fetch the entire file from origin, cache it, then send the ranges down
to downstream via range-filter. (If content is not cache-able, range
range in reverse proxy will not be enabled, instead, the range request
is directly forwarded to upstream. Also, in proxy without cache, rang
filter will not be invoked)

Questions:

======

a). Does this bug have any negative impact to 1)?

b). Where exactly does buffer overflow take place? How does this
patch resolve the problem. As far as I can understand, the patch only
check if total size of the ranges exceeds 4G (assuming 32-bit system for
simplicity). The start/end pointer of each range is guaranteed in the
range of "[0, content-length]" regardless the patched condition.

c) Could following statement have overflow problem as well when the
start/end point is very close 4G?

850 if (ngx_buf_in_memory(buf)) {
851 b->pos = buf->pos + (size_t) range[i].start;
852 b->last = buf->pos + (size_t) range[i].end;
853 }

d) the patch guarantees the total size of ranges is smaller than 4G
(again, assume 32bit system). But what if it ends up very close to 4G,
making the "len" variable in function variable
ngx_http_range_multipart_header() overflow. The "len" is to calculate
the content-length the resulting response, it is the total size of
multi-part overhead plus ranges.

Is there any simple example to reproduce the problem?

Thanks a lot!

Shuxin

On 07/11/2017 08:47 AM, Maxim Dounin wrote:
> Hello!
>
> A security issue was identified in nginx range filter. A specially
> crafted request might result in an integer overflow and incorrect
> processing of ranges, potentially resulting in sensitive information
> leak (CVE-2017-7529).
>
> When using nginx with standard modules this allows an attacker to
> obtain a cache file header if a response was returned from cache.
> In some configurations a cache file header may contain IP address
> of the backend server or other sensitive information.
>
> Besides, with 3rd party modules it is potentially possible that
> the issue may lead to a denial of service or a disclosure of
> a worker process memory. No such modules are currently known though.
>
> The issue affects nginx 0.5.6 - 1.13.2.
> The issue is fixed in nginx 1.13.3, 1.12.1.
>
> For older versions, the following configuration can be used
> as a temporary workaround:
>
> max_ranges 1;
>
> Patch for the issue can be found here:
>
> http://nginx.org/download/patch.2017.ranges.txt
>
>

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx