nginx 1.3.9/1.4.0 http/ngx_http_parse.c ngx_http_parse_chunked numeric error
CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
9.5 | $0-$5k | 0.00 |
A vulnerability was found in nginx 1.3.9/1.4.0 (Web Server) and classified as very critical. Affected by this issue is the function ngx_http_parse_chunked
of the file http/ngx_http_parse.c. The manipulation with an unknown input leads to a numeric error vulnerability. Using CWE to declare the problem leads to CWE-189. Impacted is confidentiality, integrity, and availability. CVE summarizes:
The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a chunked Transfer-Encoding request with a large chunk size, which triggers an integer signedness error and a stack-based buffer overflow.
The issue has been introduced in 11/27/2012. The weakness was presented 05/07/2013 by Maxim Dounin with iSIGHT as confirmed advisory (Maillist). The advisory is available at mailman.nginx.org. This vulnerability is handled as CVE-2013-2028 since 02/19/2013. The exploitation is known to be difficult. The attack may be launched remotely. No form of authentication is required for exploitation. Technical details as well as a public exploit are known. The structure of the vulnerability defines a possible price range of USD $0-$5k at the moment (estimation calculated on 05/10/2021).
A public exploit has been developed by Mert SARICA and been published 3 weeks after the advisory. The exploit is available at exploit-db.com. It is declared as highly functional. The vulnerability was handled as a non-public zero-day exploit for at least 161 days. During that time the estimated underground price was around $0-$5k. The vulnerability scanner Nessus provides a plugin with the ID 66341 (FreeBSD : nginx -- multiple vulnerabilities (efaa4071-b700-11e2-b1b9-f0def16c5c1b)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family FreeBSD Local Security Checks.
Upgrading to version 1.4.1 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at nginx.org. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published immediately after the disclosure of the vulnerability. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 13013.
The vulnerability is also documented in the databases at X-Force (84048), Tenable (66341) and Exploit-DB (25499). welivesecurity.com is providing further details.
Product
Type
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 10.0VulDB Meta Temp Score: 9.5
VulDB Base Score: 10.0
VulDB Temp Score: 9.5
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Numeric errorCWE: CWE-189
ATT&CK: Unknown
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Highly functional
Author: Mert SARICA
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Nessus ID: 66341
Nessus Name: FreeBSD : nginx -- multiple vulnerabilities (efaa4071-b700-11e2-b1b9-f0def16c5c1b)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍
OpenVAS ID: 865640
OpenVAS Name: Fedora Update for nginx FEDORA-2013-8182
OpenVAS File: 🔍
OpenVAS Family: 🔍
MetaSploit ID: nginx_chunked_size.rb
MetaSploit Name: Nginx HTTP Server 1.3.9-1.4.0 Chunked Encoding Stack Buffer Overflow
MetaSploit File: 🔍
Exploit-DB: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Exploit Delay Time: 🔍
Upgrade: nginx 1.4.1
Patch: nginx.org
Suricata ID: 2016918
Suricata Class: 🔍
Suricata Message: 🔍
TippingPoint: 🔍
McAfee IPS: 🔍
McAfee IPS Version: 🔍
ISS Proventia IPS: 🔍
Fortigate IPS: 🔍
Timeline
11/27/2012 🔍02/19/2013 🔍
05/07/2013 🔍
05/07/2013 🔍
05/07/2013 🔍
05/07/2013 🔍
05/07/2013 🔍
05/08/2013 🔍
05/08/2013 🔍
05/14/2013 🔍
05/17/2013 🔍
05/28/2013 🔍
07/19/2013 🔍
05/10/2021 🔍
Sources
Advisory: mailman.nginx.orgResearcher: Maxim Dounin
Organization: iSIGHT
Status: Confirmed
CVE: CVE-2013-2028 (🔍)
X-Force: 84048
Vulnerability Center: 39557 - nginx 1.3.9-1.4.0 Remote Code Execution due to a Flaw in ngx_http_parse_chunked, High
SecurityFocus: 59699 - nginx 'ngx_http_parse.c' Stack Buffer Overflow Vulnerability
Secunia: 53248 - nginx "ngx_http_parse_chunked()" Buffer Overflow Vulnerability, Highly Critical
OSVDB: 93037
scip Labs: https://www.scip.ch/en/?labs.20161013
Misc.: 🔍
Entry
Created: 05/08/2013 17:12Updated: 05/10/2021 14:39
Changes: 05/08/2013 17:12 (95), 04/29/2017 20:51 (8), 05/10/2021 14:39 (2)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.