Created
December 23, 2015 07:23
-
-
Save prasetiyohadi/b55a79a83c8973856c6f to your computer and use it in GitHub Desktop.
Using Nginx to protect against CVE-2015-1635
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# See https://www.nginx.com/blog/nginx-protect-cve-2015-1635/ | |
# Using Nginx to protect against CVE-2015-1635 | |
# Exploit: https://ma.ttias.be/remote-code-execution-via-http-request-in-iis-on-windows/ | |
# Identifying and handling reconnaisance traffic | |
# HTTP requests with a large byte range in the **Range** header trigger the crash: | |
# | |
# GET / HTTP/1.1\r\n | |
# Host: stuff\r\n | |
# Range: bytes=0-18446744073709551615\r\n | |
# \r\n | |
# Simplest fix is to use the proxy_set_header directive to set the Range header to "" | |
server { | |
listen 80; | |
location / { | |
proxy_set_header Range ""; | |
proxy_pass http://windowsserver:80; | |
} | |
} | |
# If your application requires byte-range support, you can use the map directive to replace any string that resembles a large integer with the empty string, before using the **proxy_set_header** directive to set the **Range** header | |
map $http_range $saferange { | |
"~\d{10,}" ""; # if it matches a string of 10 or more integers, remove it | |
default $http_range; | |
} | |
server { | |
listen 80; | |
location / { | |
proxy_set_header Range $saferange; | |
proxy_pass http://windowsserver:80; | |
} | |
} | |
# Alternatively, you can return HTTP code 444 when the value in the Range header resembles a large integer | |
# Code 444 instructs NGINX and NGINX Plus to close the client connection immediately without returning anything | |
server { | |
listen 80; | |
if ($http_range ~ "\d{9,}") { | |
return 444; | |
} | |
location / { | |
proxy_pass http://windowsserver:80; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment