From owner-freebsd-hackers@freebsd.org  Tue Jan  5 05:59:21 2016
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 149F9A62930
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Tue,  5 Jan 2016 05:59:21 +0000 (UTC)
 (envelope-from peterchencs@gmail.com)
Received: from mail-oi0-x22c.google.com (mail-oi0-x22c.google.com
 [IPv6:2607:f8b0:4003:c06::22c])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id D3EB21E61
 for <freebsd-hackers@freebsd.org>; Tue,  5 Jan 2016 05:59:20 +0000 (UTC)
 (envelope-from peterchencs@gmail.com)
Received: by mail-oi0-x22c.google.com with SMTP id o62so263324496oif.3
 for <freebsd-hackers@freebsd.org>; Mon, 04 Jan 2016 21:59:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=uOgWl8ASQXoBJ4BLPnkoddu0YlH6fBjQxZYfhx/7W8M=;
 b=c/s+ijGji0IXrnfKzH6Kfa/5+ytUHbquTubZvplmYe0RxwSVsXodiafSrPqM0Slfc2
 bZJ9C0Y/CD+BP32Oj/OrHZ+Cdsvcs/ltc3oaNTBmXJrloBHENwwWHiaKtIN56ORzDoeq
 4yxQLGSa2bNUBpqfsIArnZuedhbst7Af2V6mqJ0LRJUGbg9nlW+8Pagk/8HGTY2UXkX6
 T+zSoZxfPek82eZdZj1HSmJ8r4iXV86+ow7soUM1kbegxQfeNfGLyqk080t3e663Q9/a
 X/AjjvGUn5xWXppo2KzI51OrwwZya/bjH1rX9KkEQoGXQbm305A311nPoeJwDcwpvd4T
 gGdw==
MIME-Version: 1.0
X-Received: by 10.202.200.79 with SMTP id y76mr56544417oif.111.1451973560030; 
 Mon, 04 Jan 2016 21:59:20 -0800 (PST)
Received: by 10.202.188.130 with HTTP; Mon, 4 Jan 2016 21:59:19 -0800 (PST)
In-Reply-To: <CAEJt7hZiXHALJGaPSua24D_djXrbjiAdfY4A3t3=KGd4Rm1rvA@mail.gmail.com>
References: <CAHF3bU_KEYaTmeCQvkbPHPG2o=GRZXXXAYiDh4WfFeeLywroNA@mail.gmail.com>
 <CAEJt7hZiXHALJGaPSua24D_djXrbjiAdfY4A3t3=KGd4Rm1rvA@mail.gmail.com>
Date: Tue, 5 Jan 2016 00:59:19 -0500
Message-ID: <CAHF3bU8K3MYASnOOzH2h_Lj7yYR+_ex9LmZfAjkFSxVMbPofEw@mail.gmail.com>
Subject: Re: Nginx Vulnerability on FreeBSD
From: Peter Chen <peterchencs@gmail.com>
To: Henry Hu <henry.hu.sh@gmail.com>
Cc: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.20
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jan 2016 05:59:21 -0000

Thanks a million for the prompt reply! I'll try
http://www.vnsecurity.net/research/2013/05/21/analysis-of-nginx-cve-2013-2028.html
.

On Tue, Jan 5, 2016 at 12:49 AM, Henry Hu <henry.hu.sh@gmail.com> wrote:

>
>
> On Tue, Jan 5, 2016 at 12:14 AM, Peter Chen <peterchencs@gmail.com> wrote:
>
>> Hi,
>>
>> I am trying to do a security research experiment on FreeBSD.
>> I try to test the Nginx Vulnerability CVE-2013-2028 on FreeBSD x86-64,
>> with
>> Nginx 1.3.9/1.4.0.
>> (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2028)
>>
>> However, most exploit samples can succeed on Linux, but not FreeBSD.
>> The basic idea for the exploit, is to send a packet with a very large
>> chunk
>> size, making the victim process stack-overflow. After Nginx's many
>> crashes,
>> the attacker can find enough gadgets to launch a return-oriented
>> programming attack.
>>
>> However, it is hard to let Nginx worker process crash (due to overwritten
>> return address) on FreeBSD. Process crash is the first step of the whole
>> exploit.
>>
>> I guess (probably a wrong guess) the reason may be: the exploit needs to
>> set MTU to a large value. But FreeBSD seems only to allows a max MTU of
>> 16110.
>>
>> It is probably because of other reasons. Any comments/suggestions on this,
>> just to make the victim process crash?
>>
>> Here are two exploit code examples, which can run against Linux target,
>> but
>> fail to make the Nginx worker process crash on FreeBSD:
>>
>> http://www.scs.stanford.edu/brop/
>> http://www.scs.stanford.edu/brop/nginx-1.4.0-exp.tgz
>>
>> https://www.exploit-db.com/docs/27074.pdf
>> http://seclists.org/fulldisclosure/2013/Jul/att-90/ngxunlock_pl.bin
>>
>>
> With a simple experiment on nginx 1.4.0, it's possible that FreeBSD has
> more strict checks in recvfrom.
>
> For the exploit:
> Pwning IP 127.0.0.1
> Pwning
> Checking for vuln... Not vuln2
>
> From error.log:
> 2016/01/05 00:43:35 [alert] 79819#0: *14 recv() failed (22: Invalid
> argument) while sending response to client, client: 127.0.0.1, server:
> localhost, request: "GET / HTTP/1.1", host: "bla.com"
> From ktrace:
>  79819 nginx    CALL  recvfrom(0x3,0x801a15400,0x400,0,0,0)
>  79819 nginx    GIO   fd 3 read 104 bytes
>        "GET / HTTP/1.1\r
> ...
>  79819 nginx    CALL  recvfrom(0x3,0x7fffffffcf30,0xeadbeefdeadbef03,0,0,0)
>  79819 nginx    RET   recvfrom -1 errno 22 Invalid argument
>
>
> From an analysis, this should succeed:
> (from
> http://www.vnsecurity.net/research/2013/05/21/analysis-of-nginx-cve-2013-2028.html
> )
>
> strace -p 11337 -s 5000 2>&1 | grep recv
> recvfrom(3, "GET / HTTP/1.1rnHost: 1337.vnsecurity.netrnAccept:
> */*rnTransfer-Encoding: chunkedrnrnfff...snip..fff0f0f0f0f", 1024, 0, NULL,
> NULL) = 1024
> recvfrom(3, "AAA..snip..AACCCCCCCC", 18446744069667229461, 0, NULL, NULL)
> = 4112
>
>
>>
>> Thanks!!
>>
>> Best,
>> Peter
>> _______________________________________________
>> freebsd-hackers@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
>> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org
>> "
>>
>
>
>
> --
> Cheers,
> Henry
>