Vulnerabilities > CVE-2013-2028 - Out-of-bounds Write vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a chunked Transfer-Encoding request with a large chunk size, which triggers an integer signedness error and a stack-based buffer overflow.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 9 | |
| OS | 1 |
Common Weakness Enumeration (CWE)
Exploit-Db
description nginx 1.3.9/1.4.0 x86 - Brute Force Remote Exploit. CVE-2013-2028. Remote exploit for linux platform id EDB-ID:26737 last seen 2016-02-03 modified 2013-07-11 published 2013-07-11 reporter kingcope source https://www.exploit-db.com/download/26737/ title nginx 1.3.9/1.4.0 x86 - Brute Force Remote Exploit description Nginx 1.4.0 (64-bit) - Remote Exploit for Linux (Generic). CVE-2013-2028. Remote exploit for linux platform id EDB-ID:32277 last seen 2016-02-03 modified 2014-03-15 published 2014-03-15 reporter sorbo source https://www.exploit-db.com/download/32277/ title Nginx 1.4.0 64-bit - Remote Exploit for Linux Generic description Nginx HTTP Server 1.3.9-1.4.0 - Chuncked Encoding Stack Buffer Overflow. CVE-2013-2028. Remote exploit for linux platform id EDB-ID:25775 last seen 2016-02-03 modified 2013-05-28 published 2013-05-28 reporter metasploit source https://www.exploit-db.com/download/25775/ title Nginx HTTP Server 1.3.9-1.4.0 - Chuncked Encoding Stack Buffer Overflow description nginx 1.3.9-1.4.0 - DoS PoC. CVE-2013-2028. Dos exploit for linux platform id EDB-ID:25499 last seen 2016-02-03 modified 2013-05-17 published 2013-05-17 reporter Mert SARICA source https://www.exploit-db.com/download/25499/ title nginx 1.3.9-1.4.0 - DoS PoC
Metasploit
| description | This module exploits a stack buffer overflow in versions 1.3.9 to 1.4.0 of nginx. The exploit first triggers an integer overflow in the ngx_http_parse_chunked() by supplying an overly long hex value as chunked block size. This value is later used when determining the number of bytes to read into a stack buffer, thus the overflow becomes possible. |
| id | MSF:EXPLOIT/LINUX/HTTP/NGINX_CHUNKED_SIZE |
| last seen | 2020-06-13 |
| modified | 2017-07-24 |
| published | 2013-05-22 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/nginx_chunked_size.rb |
| title | Nginx HTTP Server 1.3.9-1.4.0 Chunked Encoding Stack Buffer Overflow |
Nessus
NASL family Web Servers NASL id NGINX_1_5_0.NASL description According to its Server response header, the installed version of nginx is 1.1.4 through 1.2.8, 1.3.x, or 1.4.x prior to 1.4.1. It is, therefore, affected by multiple vulnerabilities : - A stack-based buffer overflow in last seen 2020-05-09 modified 2013-05-29 plugin id 66672 published 2013-05-29 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66672 title nginx ngx_http_proxy_module.c Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(66672); script_version("1.16"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/08"); script_cve_id("CVE-2013-2028", "CVE-2013-2070"); script_bugtraq_id(59699, 59824); script_xref(name:"EDB-ID", value:"25499"); script_xref(name:"EDB-ID", value:"26737"); script_xref(name:"EDB-ID", value:"32277"); script_name(english:"nginx ngx_http_proxy_module.c Multiple Vulnerabilities"); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its Server response header, the installed version of nginx is 1.1.4 through 1.2.8, 1.3.x, or 1.4.x prior to 1.4.1. It is, therefore, affected by multiple vulnerabilities : - A stack-based buffer overflow in 'ngx_http_parse.c' may allow a remote attacker to execute arbitrary code or trigger a denial of service condition via a specially crafted HTTP request. This vulnerability only affects versions greater than or equal to 1.3.9 and less than 1.4.1. (CVE-2013-2028) - A memory disclosure vulnerability in 'ngx_http_parse.c' affects servers that use 'proxy_pass' to untrusted upstream servers. This issue can be triggered by a remote attacker via a specially crafted HTTP request. Failed attempts may result in a denial of service condition. (CVE-2013-2070)"); script_set_attribute(attribute:"see_also", value:"http://nginx.org/en/security_advisories.html"); script_set_attribute(attribute:"see_also", value:"http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html"); script_set_attribute(attribute:"see_also", value:"http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html"); script_set_attribute(attribute:"solution", value: "Either apply the patch manually or upgrade to nginx 1.4.1 / 1.5.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-2028"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Nginx HTTP Server 1.3.9-1.4.0 Chunked Encoding Stack Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2013/05/07"); script_set_attribute(attribute:"patch_publication_date", value:"2013/05/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/05/29"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/a:igor_sysoev:nginx"); script_set_attribute(attribute:"agent", value:"unix"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("nginx_detect.nasl", "nginx_nix_installed.nbin"); script_require_keys("installed_sw/nginx"); exit(0); } include('http.inc'); include('vcf.inc'); appname = 'nginx'; get_install_count(app_name:appname, exit_if_zero:TRUE); app_info = vcf::combined_get_app_info(app:appname); vcf::check_granularity(app_info:app_info, sig_segments:3); # If the detection is only remote, Detection Method won't be set, and we should require paranoia if (empty_or_null(app_info['Detection Method']) && report_paranoia < 2) audit(AUDIT_PARANOID); constraints = [ {'min_version':'1.1.4', 'max_version':'1.2.8', 'fixed_display':'1.4.1 / 1.5.0'}, {'min_version':'1.3.0', 'fixed_version' : '1.4.1'} ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2013-189.NASL description http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and 1.3.0 through 1.4.0, when proxy_pass is used with untrusted HTTP servers, allows remote attackers to cause a denial of service (crash) and obtain sensitive information from worker process memory via a crafted proxy response, a similar vulnerability to CVE-2013-2028 . last seen 2020-06-01 modified 2020-06-02 plugin id 69748 published 2013-09-04 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69748 title Amazon Linux AMI : nginx (ALAS-2013-189) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2013-189. # include("compat.inc"); if (description) { script_id(69748); script_version("1.5"); script_cvs_date("Date: 2018/04/18 15:09:35"); script_cve_id("CVE-2013-2070"); script_xref(name:"ALAS", value:"2013-189"); script_name(english:"Amazon Linux AMI : nginx (ALAS-2013-189)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and 1.3.0 through 1.4.0, when proxy_pass is used with untrusted HTTP servers, allows remote attackers to cause a denial of service (crash) and obtain sensitive information from worker process memory via a crafted proxy response, a similar vulnerability to CVE-2013-2028 ." ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2013-189.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update nginx' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nginx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nginx-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2013/05/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/09/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"nginx-1.2.9-1.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"nginx-debuginfo-1.2.9-1.11.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx / nginx-debuginfo"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201310-04.NASL description The remote host is affected by the vulnerability described in GLSA-201310-04 (nginx: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in nginx. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could send a specially crafted request, possibly resulting in execution of arbitrary code with the privileges of the process, or a Denial of Service condition. Furthermore, a context-dependent attacker may be able to obtain sensitive information. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 70310 published 2013-10-07 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/70310 title GLSA-201310-04 : nginx: Multiple vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201310-04. # # The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(70310); script_version("1.8"); script_cvs_date("Date: 2018/07/11 17:09:26"); script_cve_id("CVE-2013-0337", "CVE-2013-2028", "CVE-2013-2070"); script_bugtraq_id(58105, 59699, 59824); script_xref(name:"GLSA", value:"201310-04"); script_name(english:"GLSA-201310-04 : nginx: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201310-04 (nginx: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in nginx. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could send a specially crafted request, possibly resulting in execution of arbitrary code with the privileges of the process, or a Denial of Service condition. Furthermore, a context-dependent attacker may be able to obtain sensitive information. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201310-04" ); script_set_attribute( attribute:"solution", value: "All nginx users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-servers/nginx-1.4.1-r2'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Nginx HTTP Server 1.3.9-1.4.0 Chunked Encoding Stack Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:nginx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2013/10/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/10/07"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-servers/nginx", unaffected:make_list("ge 1.4.1-r2"), vulnerable:make_list("lt 1.4.1-r2"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx"); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_EFAA4071B70011E2B1B9F0DEF16C5C1B.NASL description The nginx project reports : A stack-based buffer overflow might occur in a worker process process while handling a specially crafted request, potentially resulting in arbitrary code execution. [CVE-2013-2028] A security problem related to CVE-2013-2028 was identified, affecting some previous nginx versions if proxy_pass to untrusted upstream HTTP servers is used. The problem may lead to a denial of service or a disclosure of a worker process memory on a specially crafted response from an upstream proxied server. [CVE-2013-2070] last seen 2020-06-01 modified 2020-06-02 plugin id 66341 published 2013-05-08 reporter This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66341 title FreeBSD : nginx -- multiple vulnerabilities (efaa4071-b700-11e2-b1b9-f0def16c5c1b) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(66341); script_version("1.11"); script_cvs_date("Date: 2018/11/10 11:49:43"); script_cve_id("CVE-2013-2028", "CVE-2013-2070"); script_name(english:"FreeBSD : nginx -- multiple vulnerabilities (efaa4071-b700-11e2-b1b9-f0def16c5c1b)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "The nginx project reports : A stack-based buffer overflow might occur in a worker process process while handling a specially crafted request, potentially resulting in arbitrary code execution. [CVE-2013-2028] A security problem related to CVE-2013-2028 was identified, affecting some previous nginx versions if proxy_pass to untrusted upstream HTTP servers is used. The problem may lead to a denial of service or a disclosure of a worker process memory on a specially crafted response from an upstream proxied server. [CVE-2013-2070]" ); script_set_attribute( attribute:"see_also", value:"http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html" ); script_set_attribute( attribute:"see_also", value:"http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html" ); # https://vuxml.freebsd.org/freebsd/efaa4071-b700-11e2-b1b9-f0def16c5c1b.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?a5f47845" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Nginx HTTP Server 1.3.9-1.4.0 Chunked Encoding Stack Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:nginx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:nginx-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/05/07"); script_set_attribute(attribute:"patch_publication_date", value:"2013/05/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/05/08"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"nginx>=1.2.0,1<=1.2.8,1")) flag++; if (pkg_test(save_report:TRUE, pkg:"nginx>=1.3.0,1<1.4.1,1")) flag++; if (pkg_test(save_report:TRUE, pkg:"nginx-devel>=1.1.4<=1.2.8")) flag++; if (pkg_test(save_report:TRUE, pkg:"nginx-devel>=1.3.0<1.5.0")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2013-7560.NASL description Update to upstream release 1.4.1 which fixes : - CVE-2013-2028: Stack-based buffer overflow when handling certain chunked transfer encoding requests Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-05-13 plugin id 66387 published 2013-05-13 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66387 title Fedora 19 : nginx-1.4.1-1.fc19 (2013-7560) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2013-7560. # include("compat.inc"); if (description) { script_id(66387); script_version("1.16"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2013-2028"); script_bugtraq_id(59699); script_xref(name:"FEDORA", value:"2013-7560"); script_name(english:"Fedora 19 : nginx-1.4.1-1.fc19 (2013-7560)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update to upstream release 1.4.1 which fixes : - CVE-2013-2028: Stack-based buffer overflow when handling certain chunked transfer encoding requests Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=960605" ); # https://lists.fedoraproject.org/pipermail/package-announce/2013-May/105176.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?fd1860f2" ); script_set_attribute(attribute:"solution", value:"Update the affected nginx package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Nginx HTTP Server 1.3.9-1.4.0 Chunked Encoding Stack Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:nginx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:19"); script_set_attribute(attribute:"patch_publication_date", value:"2013/05/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/05/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^19([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 19.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC19", reference:"nginx-1.4.1-1.fc19")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx"); }
Packetstorm
data source https://packetstormsecurity.com/files/download/121675/nginx_dos.py.txt id PACKETSTORM:121675 last seen 2016-12-05 published 2013-05-17 reporter Mert SARICA source https://packetstormsecurity.com/files/121675/Nginx-1.3.9-1.4.0-Denial-Of-Service.html title Nginx 1.3.9 / 1.4.0 Denial Of Service data source https://packetstormsecurity.com/files/download/121712/nginx_chunked_size.rb.txt id PACKETSTORM:121712 last seen 2016-12-05 published 2013-05-23 reporter Greg MacManus source https://packetstormsecurity.com/files/121712/Nginx-HTTP-Server-1.3.9-1.4.0-Chunked-Encoding-Stack-Buffer-Overflow.html title Nginx HTTP Server 1.3.9-1.4.0 Chunked Encoding Stack Buffer Overflow data source https://packetstormsecurity.com/files/download/122477/exp-nginx.rb.txt id PACKETSTORM:122477 last seen 2016-12-05 published 2013-07-19 reporter Hoang-Vu Dang source https://packetstormsecurity.com/files/122477/Nginx-1.3.9-1.4.0-Buffer-Overflow.html title Nginx 1.3.9 / 1.4.0 Buffer Overflow
Seebug
bulletinFamily exploit description BUGTRAQ ID: 59699 CVE(CAN) ID: CVE-2013-2028 nginx是HTTP及反向代理服务器,同时也用作邮件代理服务器。 nginx 1.3.9 - 1.4.0在解析HTTP块时,"ngx_http_parse_chunked()"函数 (http/ngx_http_parse.c)中存在错误,可被利用造成栈缓冲区溢出。 0 Nginx 1.3.9 - 1.4.0 临时解决方法: 建议您升级到nginx 1.4.1或者是1.5.0。但如果您不能立刻安装补丁或者升级,您可以采取以下措施以降低威胁: * 在每个server{}块中使用如下配置 if ($http_transfer_encoding ~* chunked) { return 444; } 厂商补丁: Nginx ----- Nginx已经为此发布了一个安全公告(security_advisories)以及相应补丁: security_advisories:nginx security advisories 链接:http://nginx.org/en/security_advisories.html 补丁下载:http://nginx.org/download/patch.2013.chunked.txt id SSV:60785 last seen 2017-11-19 modified 2013-05-17 published 2013-05-17 reporter Root title nginx 'ngx_http_parse.c'栈缓冲区溢出漏洞 bulletinFamily exploit description No description provided by source. id SSV:85572 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-85572 title nginx 1.4.0 64-bit - Remote Exploit for Linux (Generic) bulletinFamily exploit description No description provided by source. id SSV:79160 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-79160 title nginx 1.3.9-1.4.0 - DoS PoC
References
- http://www.vnsecurity.net/2013/05/analysis-of-nginx-cve-2013-2028/
- http://www.osvdb.org/93037
- http://nginx.org/download/patch.2013.chunked.txt
- https://github.com/rapid7/metasploit-framework/pull/1834
- http://packetstormsecurity.com/files/121675/Nginx-1.3.9-1.4.0-Denial-Of-Service.html
- http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html
- http://security.gentoo.org/glsa/glsa-201310-04.xml
- http://secunia.com/advisories/55181
- http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105176.html
- http://www.securityfocus.com/bid/59699