Exploiting nginx chunked overflow bug, the undisclosed attack vector (CVE-2013-2028)

July 17, 2013 by longld · 2 Comments 

In previous post, we analyzed and exploited stack based buffer overflow vulnerability in chunked encoding parsing of nginx-1.3.9 – 1.4.0. We mentioned that there was another attack vector which was more practical, more reliable. I talked about this attack vector at SECUINSIDE 2013 in July (btw, a great conference and CTF). Details can be found in slides.

In summary:

  • Same bug with different code paths that serve dynamic contents via fastcgi, proxy backend, etc. These configurations are more practical in real world environments.
  • Heap based overflow instead of stack based overflow as described in the original advisory. Nothing to worry about stack cookie (so no bruteforcing).
  • The trick to make heap overflow exploit more reliable is via connection spraying.
  • Some small tips and tricks for ROP and shellcode.

Enjoy hacking!

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Add to favorites
  • Reddit
  • Technorati
  • Tumblr
  • Twitter
  • Slashdot
  • Identi.ca

About longld
@longledinh

Comments

2 Responses to “Exploiting nginx chunked overflow bug, the undisclosed attack vector (CVE-2013-2028)”
  1. am says:

    any video of this, anywhere?

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!