Exploiting nginx chunked overflow bug, the undisclosed attack vector

Transcription

1 Exploiting nginx chunked overflow bug, the undisclosed attack vector Long Le

2 About VNSECURITY.NET CLGT CTF team 2 VNSECURITY.NET

3 In this talk Nginx brief introduction Nginx chunked overflow bug The analysis The exploit The undisclosed attack vector x86-64 ROP tricks Demo 3 VNSECURITY.NET

4 Nginx [engine x] HTTP and reverse proxy server Fast, light-weight Popular 4 VNSECURITY.NET

5 Nginx architecture Non-blocking IO Event driven Single threaded Single master, multiple workers Resources efficient Highly modular ref: 5 VNSECURITY.NET

6 Nginx architecture big picture ref: 6 VNSECURITY.NET

7 The vulnerability 7 VNSECURITY.NET

8 The analysis (1) HTTP header: Transfer-Encoding: chunked 8 VNSECURITY.NET

9 The analysis (2) 9 VNSECURITY.NET

10 The analysis (3) 10 VNSECURITY.NET

11 The analysis (4) stack based overflow 11 VNSECURITY.NET

12 The exploit Stack cookie bruteforcing May require hundred/thousand of connections Noisy error logs nginx < binaries from nginx.org has no stack cookie ASLR return to binary Default is non PIE NX ROP 12 VNSECURITY.NET

13 The humble mitigation 13 VNSECURITY.NET

14 Quick summary Default nginx settings (static contents) Stack based overflow Straight to exploit Stack cookie slows down attack 14 VNSECURITY.NET

15 Practical Nginx deployment Nginx + FastCGI backend E.g: Wordpress Nginx + Apache/Lighttpd Reverse proxy 15 VNSECURITY.NET

16 The undisclosed attack vector Same vulnerability Different configuration More targets Heap based overflow! No worry about stack cookie Not straight to exploit 16 VNSECURITY.NET

17 The analysis (1) 17 VNSECURITY.NET

18 The analysis (2) 18 VNSECURITY.NET

19 The analysis (3) 19 VNSECURITY.NET

20 The analysis (4) 20 VNSECURITY.NET

21 The analysis (5) heap based overflow 21 VNSECURITY.NET

22 POC trigger 22 VNSECURITY.NET

23 Crash dump 23 VNSECURITY.NET

24 The exploit Send enough data Crafted payload to pass some checks ROP stuff Run n Pray! It s unreliable 24 VNSECURITY.NET

25 The unreliable issue Interfered by events Connections coming Connections have data Connections closing Heap metadata corruption Nginx internal pool libc Difficult to debug Event driven 25 VNSECURITY.NET

26 Crash madness VNSECURITY.NET

27 Nginx internals (1) ref: 27 VNSECURITY.NET

28 Nginx internals (2) 28 VNSECURITY.NET

29 Nginx internals (3) 29 VNSECURITY.NET

30 The solution Heap spraying Open many connections Force each connection to allocate large chunk Reserve contiguous memory Overflow the handler and trigger read_event_handler() Send more data to trigger read event 30 VNSECURITY.NET

31 The refined POC 31 VNSECURITY.NET

32 Heap spraying (1) 32 VNSECURITY.NET

33 Heap spraying (2) header N buffer N header N+1 buffer N+1 header N+2 33 VNSECURITY.NET

34 Overflow the handler (1) header N buffer N header N+1 buffer N+1 header N+2 34 VNSECURITY.NET

35 Overflow the handler (2) 35 VNSECURITY.NET

36 The refined exploit Open N connections (e.g N=32) All connections send the chunk trigger For connections from N/2 to N send same ROP payload Jump to controlled, contiguous memory before overflowing 36 VNSECURITY.NET

37 x86-64 ROP tricks (1) Use 32-bits gadgets Heap address is 32-bits xchg rsp, rax xchg esp, eax 37 VNSECURITY.NET

38 x86-64 ROP tricks (2) RET blocks RIP call [rax+0x30] RAX heap payload RAX RIP ret ret ret ret ret pop_ret xchg_ret real payload address growth 38 VNSECURITY.NET

39 x86-64 ROP tricks (3) Use less argument functions for ret2plt, ret2libc mprotect() vs mmap64() mmap64() rdi => address rsi => size rdx => proto rcx => flags r8 => fd r9 => offset mprotect() rdi => address rsi => size rdx => proto libc offset: mprotect mmap = 0x60 39 VNSECURITY.NET

40 Shellcode tricks Continue to serve normal HTTP requests fork() then parent exit() Advanced socket reuse stage-1: fd hunting loop read from fd check for tag jump to stage-2 with found fd stage-2: normal socket reuse shell 40 VNSECURITY.NET

41 Demo 41 VNSECURITY.NET

42 Conclusion We found another (now known) attack vector of the ngxin chunked overflow bug Not only stack based overflow Impact to almost practical deployments We built a reliable heap based overflow exploit No worry about stack cookie bruteforcing Fast to gain shell Exploit on x86 should be the same but easier 42 VNSECURITY.NET

43 Questions? 43 VNSECURITY.NET