From owner-freebsd-security@FreeBSD.ORG Fri Jul 26 18:03:09 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 22E3E829; Fri, 26 Jul 2013 18:03:09 +0000 (UTC) (envelope-from jmg@h2.funkthat.com) Received: from h2.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id EA363292A; Fri, 26 Jul 2013 18:03:08 +0000 (UTC) Received: from h2.funkthat.com (localhost [127.0.0.1]) by h2.funkthat.com (8.14.3/8.14.3) with ESMTP id r6QI32Cp078547 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 26 Jul 2013 11:03:02 -0700 (PDT) (envelope-from jmg@h2.funkthat.com) Received: (from jmg@localhost) by h2.funkthat.com (8.14.3/8.14.3/Submit) id r6QI32XL078546; Fri, 26 Jul 2013 11:03:02 -0700 (PDT) (envelope-from jmg) Date: Fri, 26 Jul 2013 11:03:02 -0700 From: John-Mark Gurney To: Mark Felder Subject: Re: nginx exploit / accept filters Message-ID: <20130726180302.GQ26412@funkthat.com> Mail-Followup-To: Mark Felder , freebsd-security@freebsd.org References: <1374838835.16740.1844463.72B1ED2B@webmail.messagingengine.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1374838835.16740.1844463.72B1ED2B@webmail.messagingengine.com> User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 7.2-RELEASE i386 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.2 (h2.funkthat.com [127.0.0.1]); Fri, 26 Jul 2013 11:03:02 -0700 (PDT) Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Jul 2013 18:03:09 -0000 Mark Felder wrote this message on Fri, Jul 26, 2013 at 06:40 -0500: > As described here: > http://lists.grok.org.uk/pipermail/full-disclosure/2013-July/091084.html > > If I understand this correctly our accept filters will have zero effect > on stopping this exploit, correct? Depending upon where the overflow happens, it could make it even easier to exploit... If the overflow happens in the header part, then the http accept filter will make it even easier, and not require the attacker to do tricks at the TCP layer... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."