milliways-infosec/CVE-2026-42945_RCE_in_Nginx-Rift
5
0
Fork 0
mirror of https://github.com/DepthFirstDisclosures/Nginx-Rift.git synced 2026-05-16 11:07:44 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

update readme

Browse source
This commit is contained in:
Markakd 2026-05-13 11:40:55 -07:00
parent 7fbbc54b50
commit 1a2df3957b
1 changed files with 31 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

37
README.md
View file

@ -1,10 +1,35 @@
# Nginx Rift Exploit
# NGINX Rift
**CVE:** CVE-2026-42945
**Tested on:** Ubuntu 24.04.3 LTS
RCE Proof of concept for **CVE-2026-42945**, a critical heap buffer overflow in NGINX's `ngx_http_rewrite_module` introduced in 2008. The bug enables unauthenticated remote code execution against servers using `rewrite` and `set` directives.
This vulnerability — along with three other memory corruption issues (CVE-2026-42946, CVE-2026-40701, CVE-2026-42934) — was autonomously discovered by [depthfirst](https://depthfirst.com)'s security analysis system after a single click of onboarding the NGINX source.
> Want to find issues like this in your own code? Try the same system at **<https://depthfirst.com/open-defense>**.
## The Bug (TL;DR)
NGINX's script engine uses a two-pass process: first compute the required buffer size, then copy data in. The `is_args` flag is set on the main engine when a `rewrite` replacement contains `?`, but the length-calculation pass runs on a freshly zeroed sub-engine. So:
- **Length pass** sees `is_args = 0` → returns raw capture length.
- **Copy pass** sees `is_args = 1` → calls `ngx_escape_uri` with `NGX_ESCAPE_ARGS`, expanding each escapable byte to 3 bytes.
The copy overflows the undersized heap buffer with attacker-controlled URI data. Exploitation uses cross-request heap feng shui to corrupt an adjacent `ngx_pool_t`'s `cleanup` pointer (sprayed via POST bodies, since URI bytes can't contain null bytes), redirecting it to a fake `ngx_pool_cleanup_s` invoking `system()` on pool destruction.
Read more about this bug in our [technical write-up](https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability).
## Affected & Fixed Versions
| Product | Affected | Fixed in |
| --- | --- | --- |
| NGINX Open Source | 0.6.27 1.30.0 | 1.31.0, 1.30.1 |
| NGINX Plus | R32 R36 | R36 P4, R35 P2, R32 P6 |
Full vendor advisory: <https://my.f5.com/manage/s/article/K000160932>
## Usage
1. Run `./setup.sh` to create the container.
2. Run `docker compose -f env/docker-compose.yml up` to start the vulnerable nginx server.
3. Run `python3 poc.py --shell` to achieve RCE (Remote Code Execution).
Tested on Ubuntu 24.04.3 LTS.
1. `./setup.sh` — build the container.
2. `docker compose -f env/docker-compose.yml up` — start the vulnerable NGINX server.
3. `python3 poc.py --shell` — pop a shell.