From owner-freebsd-hackers@freebsd.org Tue Jan 5 05:49:43 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E9BB8A62580 for ; Tue, 5 Jan 2016 05:49:42 +0000 (UTC) (envelope-from henry.hu.sh@gmail.com) Received: from mail-qg0-x234.google.com (mail-qg0-x234.google.com [IPv6:2607:f8b0:400d:c04::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AAA111A4D for ; Tue, 5 Jan 2016 05:49:42 +0000 (UTC) (envelope-from henry.hu.sh@gmail.com) Received: by mail-qg0-x234.google.com with SMTP id o11so271540484qge.2 for ; Mon, 04 Jan 2016 21:49:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=AbssWPqDYjQpF9NYg1Yt9DrxRgHlwVcGe8Wq7Db9Okk=; b=V0KmcNFbQrpzgkdLdO9gk8XjiF0yPcgKEEverr8bL5/WWZfVtYo92b8xoZef3NBHKt ixU5g5J68G9WT7R8LPuWmYyC2KRbB2tJYipLxHA3kd4T5dLp0jEHMF4BTY+D20nVhMNt RfR34oDRh0smKyb+dDjta9TyJ7RqMnq7mj5oDKjUjpxt8j1xG1ei3xXWkMTJpasb1sOD H46wAgI2JZMz0jNMLudR2m4621d3RnJI2q+fKi/nCvsaTBt4sFbqOdVXC2NEgoSoQCjR oqSXlvhP7KK6ZCFXZDuRJC67bA4h9mjAHWDMOp81BFUBO86B2WP3uBTJ7sfR99mGD3uW NBPA== X-Received: by 10.140.142.207 with SMTP id 198mr117565300qho.77.1451972981663; Mon, 04 Jan 2016 21:49:41 -0800 (PST) MIME-Version: 1.0 Received: by 10.140.81.198 with HTTP; Mon, 4 Jan 2016 21:49:02 -0800 (PST) In-Reply-To: References: From: Henry Hu Date: Tue, 5 Jan 2016 00:49:02 -0500 Message-ID: Subject: Re: Nginx Vulnerability on FreeBSD To: Peter Chen Cc: "freebsd-hackers@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jan 2016 05:49:43 -0000 On Tue, Jan 5, 2016 at 12:14 AM, Peter Chen wrote: > Hi, > > I am trying to do a security research experiment on FreeBSD. > I try to test the Nginx Vulnerability CVE-2013-2028 on FreeBSD x86-64, with > Nginx 1.3.9/1.4.0. > (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2028) > > However, most exploit samples can succeed on Linux, but not FreeBSD. > The basic idea for the exploit, is to send a packet with a very large chunk > size, making the victim process stack-overflow. After Nginx's many crashes, > the attacker can find enough gadgets to launch a return-oriented > programming attack. > > However, it is hard to let Nginx worker process crash (due to overwritten > return address) on FreeBSD. Process crash is the first step of the whole > exploit. > > I guess (probably a wrong guess) the reason may be: the exploit needs to > set MTU to a large value. But FreeBSD seems only to allows a max MTU of > 16110. > > It is probably because of other reasons. Any comments/suggestions on this, > just to make the victim process crash? > > Here are two exploit code examples, which can run against Linux target, but > fail to make the Nginx worker process crash on FreeBSD: > > http://www.scs.stanford.edu/brop/ > http://www.scs.stanford.edu/brop/nginx-1.4.0-exp.tgz > > https://www.exploit-db.com/docs/27074.pdf > http://seclists.org/fulldisclosure/2013/Jul/att-90/ngxunlock_pl.bin > > With a simple experiment on nginx 1.4.0, it's possible that FreeBSD has more strict checks in recvfrom. For the exploit: Pwning IP 127.0.0.1 Pwning Checking for vuln... Not vuln2 >From error.log: 2016/01/05 00:43:35 [alert] 79819#0: *14 recv() failed (22: Invalid argument) while sending response to client, client: 127.0.0.1, server: localhost, request: "GET / HTTP/1.1", host: "bla.com" >From ktrace: 79819 nginx CALL recvfrom(0x3,0x801a15400,0x400,0,0,0) 79819 nginx GIO fd 3 read 104 bytes "GET / HTTP/1.1\r ... 79819 nginx CALL recvfrom(0x3,0x7fffffffcf30,0xeadbeefdeadbef03,0,0,0) 79819 nginx RET recvfrom -1 errno 22 Invalid argument >From an analysis, this should succeed: (from http://www.vnsecurity.net/research/2013/05/21/analysis-of-nginx-cve-2013-2028.html ) strace -p 11337 -s 5000 2>&1 | grep recv recvfrom(3, "GET / HTTP/1.1rnHost: 1337.vnsecurity.netrnAccept: */*rnTransfer-Encoding: chunkedrnrnfff...snip..fff0f0f0f0f", 1024, 0, NULL, NULL) = 1024 recvfrom(3, "AAA..snip..AACCCCCCCC", 18446744069667229461, 0, NULL, NULL) = 4112 > > Thanks!! > > Best, > Peter > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > -- Cheers, Henry