Problem tracked to interlinked vulnerabilities in Nginx and OpenResty

Mail.ru has patched a critical memory disclosure flaw

Russian email platform Mail.ru has paid out a $10,000 bug bounty for a critical security flaw connected to two related issues in Nginx and OpenResty.

A security advisory posted on Mail.ru’s HackerOne page on March 18 explained how an invalid handling of NULL byte in the API request led to the “disclosure of HTTP server memory”.

OpenResty serves as a Lua engine for Nginx’s reverse proxy, which runs on Mail.ru, whose userbase numbers 100 million active accounts.

‘Untrusted input data’

The bug bounty hunter who discovered the vulnerabilities found that OpenResty was susceptible to an insecure implementation of the Nginx rewrite, where ngx.req.set_uri() is implemented via raw rewrite in Nginx without additional filtering or normalization.

Yichun Zhang, president and founder of OpenResty, told The Daily Swig: “It’s a potential risk when the Lua programmer working on OpenResty apps is careless and fails to validate untrusted input data at all (kinda similar to JS or SQL injection).”

The HackerOne advisory said this could lead to CRLF/header injection.

“The OpenResty core could have done better here [to] help the developers,” said Zhang.

The second issue, a bug in Nginx rewrite implementation, means the OpenResty flaw can also lead to memory content disclosure, directory traversal/local file read, and restrictions bypass under some configurations.

The issue arises from a fragment of the process memory with 301/302 HTTP reply if the rewrite string ¬contains ASCII 0 characters.

Security updates

The vulnerabilities were found in Nginx version 1.17.5 and OpenResty version 1.15.8.2 on Ubuntu 18.04.

Owen Garrett, senior director of product development at Nginx, confirmed that Nginx has been patched in ‘current’ but not in ‘stable’.

“It will be included when we make the 1.18.0 stable release, probably in late April,” he told The Daily Swig.

OpenResty issued a security patch – 1.15.8.3 – that resolves the issue on March 21.

Garrett said the “‘null-bytes-in rewrite’ bug was judged to have limited impact” and as such “fixed in our normal release cycle and documented in our change log”.

He added: “The flaw can only be exploited with very specific configurations, and it results in the disclosure of a small amount of uninitialized memory. We’re not aware of any ways to exploit this bug to mount a denial-of-service attack, or to systematically expose memory.”

Users who haven’t updated both platforms are advised to avoid using the Nginx rewrite directive or ngx.req.set_uri() with untrusted input – or at least implement strict input filtering.

“Don’t embed null characters in redirects, and be careful when redirecting to a user-defined value,” said Garrett.

He added that you should “always be careful when trusting user input”.

“Nginx is a sophisticated piece of software, and it’s possible to generate exploitable configurations if you are careless. Use Nginx Amplify or https://github.com/yandex/gixy to analyse complex configurations and identify some possible issues,” Garrett said.

The directory traversal bug was apparently discovered through the creation of “an Nginx configuration that took untrusted user input and overwrote the request URI after Nginx had performed the appropriate security checks”.

Therefore, Garrett advised, “be careful when using Nginx rewrites that you don’t introduce vulnerabilities in your configuration”.

Disclosure timeline

Mail.ru was notified of the flaw via HackerOne by researcher @maxarr on March 21, 2019.

The email provider identified Nginx and OpenResty as the root cause on November 5, and relayed the information to Nginx on November 7.

“We acknowledged receipt of the report the next day, considered the potential impact of the bug, and scheduled a fix,” said Garrett.

“We make Nginx open source releases approximately every six weeks; and shipped a fix in our ‘mainline’ release branch eight weeks after initial receipt of the email.”

The flaw was reported to the OpenResty team on December 17.


RELATED Nginx server bugs could lead to RCE