From owner-freebsd-hackers@freebsd.org Thu Jan 7 02:57:36 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0C532A66603 for ; Thu, 7 Jan 2016 02:57:36 +0000 (UTC) (envelope-from peterchencs@gmail.com) Received: from mail-oi0-x230.google.com (mail-oi0-x230.google.com [IPv6:2607:f8b0:4003:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C8E6B12D9 for ; Thu, 7 Jan 2016 02:57:35 +0000 (UTC) (envelope-from peterchencs@gmail.com) Received: by mail-oi0-x230.google.com with SMTP id o124so305457155oia.1 for ; Wed, 06 Jan 2016 18:57:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rKZnCNQerm0Ay0UW+zLSmyYwEpteoXfgz5CDWbF/UxE=; b=iT50D7xCJNCqxtgzoPaD2wo9E/LYpEweu3l2zdDcW++Z+OvC53o2HwUmrG0J7NX4JK GK/bnfGH5/hDKhCS6gHqhg+9YuupqoUh5uFUlZg5e9+f7K5bkD4rLjS/jdxDvZgLDPmU sR92+0zLYraKvRticMQSj7m0eMALmDWHXwaGq7GNLhgy62q6aw9F1fMxPOzd6gwLfny2 S7CivH9FXPwsea2jjgnq5ethdDjVDIPPrTvT4/Iq64UHRXYShJAAkk9mVIox5bf5Nlrd gy/iLIuwuNCizrHFxPZAHKMMnsTm6SZ8yZiMQrXnNfQzeq1FEV6PnyBuzFavoheV/8O0 SPkQ== MIME-Version: 1.0 X-Received: by 10.202.207.206 with SMTP id f197mr71004922oig.50.1452135454629; Wed, 06 Jan 2016 18:57:34 -0800 (PST) Received: by 10.202.188.130 with HTTP; Wed, 6 Jan 2016 18:57:34 -0800 (PST) In-Reply-To: References: Date: Wed, 6 Jan 2016 21:57:34 -0500 Message-ID: Subject: Re: Nginx Vulnerability on FreeBSD From: Peter Chen To: Henry Hu Cc: "freebsd-hackers@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jan 2016 02:57:36 -0000 After I tried that on FreeBSD, and used "truss" to trace system calls, the Nginx worker process still cannot crash. It seems that FreeBSD's recvfrom() automatically divide the received data into 4096-sized chunks, and it will not overflow. The system call trace is as follows (different from http://www.vnsecurity.net/research/2013/05/21/analysis-of-nginx-cve-2013-2028.html 's 1024 and 4112, here the recvfrom's received size is 1024, 4096 and 16): ======================================================== kevent(8,{},0,{0x6,EVFILT_READ,0x0,0,0x1,0x801cd3000},512,0x0) = 1 (0x1) gettimeofday({1452134269.299028 },0x0) = 0 (0x0) accept4(0x6,0x7fffffffe650,0x7fffffffe6bc,0x20000000,0xffff,0x2) = 3 (0x3) kevent(8,{0x3,EVFILT_READ,EV_ADD|EV_ENABLE|EV_CLEAR,0,0x0,0x801cd30e0},1,{0x3,EVFILT_READ,EV_CLEAR,0,0x1410,0x801cd30e0},512,{60.000000000 }) = 1 (0x1) gettimeofday({1452134269.299901 },0x0) = 0 (0x0) recvfrom(3,"GET / HTTP/1.1rnHost: 1337.vnsec"...,1024,0x0,NULL,0x0) = 1024 (0x400) writev(0x3,0x7fffffffdcb0,0x2,0x7fffffffffffef87,0x68,0x1) = 172 (0xac) shutdown(3,SHUT_WR) = 0 (0x0) recvfrom(3,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...,4096,0x0,NULL,0x0) = 4096 (0x1000) recvfrom(3,"AAAAAAAACCCCCCCC",4096,0x0,NULL,0x0) = 16 (0x10) kevent(8,{},0,{0x3,EVFILT_READ,EV_CLEAR|EV_EOF,54,0x0,0x801cd30e0},512,{5.000000000 }) = 1 (0x1) gettimeofday({1452134269.306013 },0x0) = 0 (0x0) write(4,"172.16.187.1 - - [06/Jan/2016:21"...,1089) = 1089 (0x441) close(3) ======================================================== Any idea how to make the crash happen? I can modify the kernel if needed. But I did not find recvfrom()'s maximum "len" in the recvfrom system call implementation -- sys_recvfrom. ( https://github.com/freebsd/freebsd/blob/63cd1c131acbe2c4896430de52395b168ee9b73d/sys/kern/uipc_syscalls.c ) Thanks!! On Tue, Jan 5, 2016 at 12:59 AM, Peter Chen wrote: > Thanks a million for the prompt reply! I'll try > http://www.vnsecurity.net/research/2013/05/21/analysis-of-nginx-cve-2013-2028.html > . > > On Tue, Jan 5, 2016 at 12:49 AM, Henry Hu wrote: > >> >> >> On Tue, Jan 5, 2016 at 12:14 AM, Peter Chen >> wrote: >> >>> Hi, >>> >>> I am trying to do a security research experiment on FreeBSD. >>> I try to test the Nginx Vulnerability CVE-2013-2028 on FreeBSD x86-64, >>> with >>> Nginx 1.3.9/1.4.0. >>> (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2028) >>> >>> However, most exploit samples can succeed on Linux, but not FreeBSD. >>> The basic idea for the exploit, is to send a packet with a very large >>> chunk >>> size, making the victim process stack-overflow. After Nginx's many >>> crashes, >>> the attacker can find enough gadgets to launch a return-oriented >>> programming attack. >>> >>> However, it is hard to let Nginx worker process crash (due to overwritten >>> return address) on FreeBSD. Process crash is the first step of the whole >>> exploit. >>> >>> I guess (probably a wrong guess) the reason may be: the exploit needs to >>> set MTU to a large value. But FreeBSD seems only to allows a max MTU of >>> 16110. >>> >>> It is probably because of other reasons. Any comments/suggestions on >>> this, >>> just to make the victim process crash? >>> >>> Here are two exploit code examples, which can run against Linux target, >>> but >>> fail to make the Nginx worker process crash on FreeBSD: >>> >>> http://www.scs.stanford.edu/brop/ >>> http://www.scs.stanford.edu/brop/nginx-1.4.0-exp.tgz >>> >>> https://www.exploit-db.com/docs/27074.pdf >>> http://seclists.org/fulldisclosure/2013/Jul/att-90/ngxunlock_pl.bin >>> >>> >> With a simple experiment on nginx 1.4.0, it's possible that FreeBSD has >> more strict checks in recvfrom. >> >> For the exploit: >> Pwning IP 127.0.0.1 >> Pwning >> Checking for vuln... Not vuln2 >> >> From error.log: >> 2016/01/05 00:43:35 [alert] 79819#0: *14 recv() failed (22: Invalid >> argument) while sending response to client, client: 127.0.0.1, server: >> localhost, request: "GET / HTTP/1.1", host: "bla.com" >> From ktrace: >> 79819 nginx CALL recvfrom(0x3,0x801a15400,0x400,0,0,0) >> 79819 nginx GIO fd 3 read 104 bytes >> "GET / HTTP/1.1\r >> ... >> 79819 nginx CALL >> recvfrom(0x3,0x7fffffffcf30,0xeadbeefdeadbef03,0,0,0) >> 79819 nginx RET recvfrom -1 errno 22 Invalid argument >> >> >> From an analysis, this should succeed: >> (from >> http://www.vnsecurity.net/research/2013/05/21/analysis-of-nginx-cve-2013-2028.html >> ) >> >> strace -p 11337 -s 5000 2>&1 | grep recv >> recvfrom(3, "GET / HTTP/1.1rnHost: 1337.vnsecurity.netrnAccept: >> */*rnTransfer-Encoding: chunkedrnrnfff...snip..fff0f0f0f0f", 1024, 0, NULL, >> NULL) = 1024 >> recvfrom(3, "AAA..snip..AACCCCCCCC", 18446744069667229461, 0, NULL, NULL) >> = 4112 >> >> >>> >>> Thanks!! >>> >>> Best, >>> Peter >>> _______________________________________________ >>> freebsd-hackers@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers >>> To unsubscribe, send any mail to " >>> freebsd-hackers-unsubscribe@freebsd.org" >>> >> >> >> >> -- >> Cheers, >> Henry >> > >