Hey, TL;DR: UAF in a "non-release" version of ModSecurity for Nginx. !RCE|DoS, no need to panic. Plus some old and even older exploitation vector(s). /* * 1. Use-After-Free (UAF) */ During one of the engagements my team tested a WAF running in production Nginx + ModSecurity + OWASP Core Rule Set [1][2][3]. In the system logs I found information about the Nginx worker processes being terminated due to memory corruption errors. Through fuzzing and stress testing it was possible to obtain a minimised payload triggering the memory corruption. Further analysis revealed the v3 branch of ModSecurity suffered from an UAF vulnerability. Unfortunately, all I managed to do with it was to cause a poor-man's remote DoS, perhaps others will have more luck exploiting it. Looking forward to read about it. The jaw dropping PoC:
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment