Sep 09, 2024, 11:44 AM
(This post was last modified: Sep 09, 2024, 11:45 AM by Larry-Hoover.)
Hello,
I was recently looking into Nginx vulnerabilities and I stumbled on (CVE-2021-23017). The vulnerability exists in the way Nginx receives DNS responses.
Apparently, the issue lies in the "ngx_resolver_copy()" function causing a heap overflow. This type of vulnerability was labeled as Dos as it caused server crash.
The PoC provided demonstrated how to basically crash Nginx server.
As I was digging deeper, I came across an article describing in detail the vulnerability and also mentioning the following "A network attacker capable of providing DNS responses to a Nginx server can achieve Denial-of-Service and likely remote code execution."
Now that was definitely interesting, but the problem is that I wasn't able to generate RCE yet. There was no PoC for it, simply nothing as it was never possible.
This vulnerability affects many versions of Nginx (0.6.18 - 1.20.0) and I was hoping we could make this thread a collaborative work in creating PoC for this potential RCE.
You can find all resources I visited:
1. https://github.com/advisories/GHSA-83p9-mcpm-374v
2. https://www.x41-dsec.de/lab/advisories/x...lver-copy/
P.S: I am currently working on it. I have been in the field for years, but never wrote any heap/buffer exploitation from scratch like this one before.
I was recently looking into Nginx vulnerabilities and I stumbled on (CVE-2021-23017). The vulnerability exists in the way Nginx receives DNS responses.
Apparently, the issue lies in the "ngx_resolver_copy()" function causing a heap overflow. This type of vulnerability was labeled as Dos as it caused server crash.
The PoC provided demonstrated how to basically crash Nginx server.
As I was digging deeper, I came across an article describing in detail the vulnerability and also mentioning the following "A network attacker capable of providing DNS responses to a Nginx server can achieve Denial-of-Service and likely remote code execution."
Now that was definitely interesting, but the problem is that I wasn't able to generate RCE yet. There was no PoC for it, simply nothing as it was never possible.
This vulnerability affects many versions of Nginx (0.6.18 - 1.20.0) and I was hoping we could make this thread a collaborative work in creating PoC for this potential RCE.
You can find all resources I visited:
1. https://github.com/advisories/GHSA-83p9-mcpm-374v
2. https://www.x41-dsec.de/lab/advisories/x...lver-copy/
P.S: I am currently working on it. I have been in the field for years, but never wrote any heap/buffer exploitation from scratch like this one before.