Achieving NGINX Remote Code Execution via an 18-Year-Old Vulnerability

depthfirst.com

Achieving NGINX Remote Code Execution via an 18-Year-Old Vulnerability

depthfirst.com

RSS Bot@lemmy.bestiver.seBM to Lobste.rs@lemmy.bestiver.seEnglish · 4 days ago

NGINX Rift: Achieving NGINX Remote Code Execution via an 18-Year-Old Vulnerability | depthfirst

depthfirst.com

We used the depthfirst system to analyze the NGINX source code, and it autonomously discovered 4 remote memory corruption issues, including a critical heap buffer overflow introduced in 2008. We further investigated the exploitability of the issues, and developed a working proof of concept demonstrating RCE with ASLR off. If you use rewrite and set directives in your NGINX configuration, you're at risk.

Comments

You must log in or # to comment.

Chat

Lobste.rs@lemmy.bestiver.se

lobsters@lemmy.bestiver.se

You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !lobsters@lemmy.bestiver.se

Community locked: only moderators can create posts. You can still comment on posts.

RSS Feed of lobste.rs

Source of the RSS Bot

Visibility: Public

This community can be federated to other instances and be posted/commented in by their users.

45 users / day
161 users / week
536 users / month
1.68K users / 6 months
2 local subscribers
375 subscribers
8.51K Posts
669 Comments
Modlog