From owner-freebsd-hackers@freebsd.org Tue Jan 5 05:14:29 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 96FFFA617CD for ; Tue, 5 Jan 2016 05:14:29 +0000 (UTC) (envelope-from peterchencs@gmail.com) Received: from mail-ob0-x233.google.com (mail-ob0-x233.google.com [IPv6:2607:f8b0:4003:c01::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5DEB61532 for ; Tue, 5 Jan 2016 05:14:29 +0000 (UTC) (envelope-from peterchencs@gmail.com) Received: by mail-ob0-x233.google.com with SMTP id pp16so3973766obb.2 for ; Mon, 04 Jan 2016 21:14:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=yqzoc5Zkada1b1DiSfLlDZ88dVSVprJfc0u5bf3lJs4=; b=huwxccP0GomcUMcLRmdqRqrC7GgCr2h8eiIldUbBzGFsvfMokQjGpx6pl388AAr9Ug kJi5kmExv4c5I7DVNxDuYMbE/SRhDvyqyRwPuVTFIo6yi56jFNMJfzyqNVxwZ64Z8KST KEx0ay4gMPTN3SOW2IDuFRgonaA2VLQJVzY/L+RDRch6lyMPNIG255rairWUR4RbSZ3G PbTslKcAtemQIMb9+GcMnzz2dhDtNckJu+m9te7/MYBTlOKtk1B01CM6iQZ8gyeLSePH Vbdyr9VExKf8F2JaA4fNjMEBn2mn1Cy/UyuGRFl5Hwi4Im6tt/ockjQgzwDHUZ5q3cdD Ujuw== MIME-Version: 1.0 X-Received: by 10.182.106.198 with SMTP id gw6mr365960obb.11.1451970868674; Mon, 04 Jan 2016 21:14:28 -0800 (PST) Received: by 10.202.188.130 with HTTP; Mon, 4 Jan 2016 21:14:28 -0800 (PST) Date: Tue, 5 Jan 2016 00:14:28 -0500 Message-ID: Subject: Nginx Vulnerability on FreeBSD From: Peter Chen To: freebsd-hackers@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jan 2016 05:14:29 -0000 Hi, I am trying to do a security research experiment on FreeBSD. I try to test the Nginx Vulnerability CVE-2013-2028 on FreeBSD x86-64, with Nginx 1.3.9/1.4.0. (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2028) However, most exploit samples can succeed on Linux, but not FreeBSD. The basic idea for the exploit, is to send a packet with a very large chunk size, making the victim process stack-overflow. After Nginx's many crashes, the attacker can find enough gadgets to launch a return-oriented programming attack. However, it is hard to let Nginx worker process crash (due to overwritten return address) on FreeBSD. Process crash is the first step of the whole exploit. I guess (probably a wrong guess) the reason may be: the exploit needs to set MTU to a large value. But FreeBSD seems only to allows a max MTU of 16110. It is probably because of other reasons. Any comments/suggestions on this, just to make the victim process crash? Here are two exploit code examples, which can run against Linux target, but fail to make the Nginx worker process crash on FreeBSD: http://www.scs.stanford.edu/brop/ http://www.scs.stanford.edu/brop/nginx-1.4.0-exp.tgz https://www.exploit-db.com/docs/27074.pdf http://seclists.org/fulldisclosure/2013/Jul/att-90/ngxunlock_pl.bin Thanks!! Best, Peter