milliways-infosec/CVE-2026-42945_RCE_in_Nginx-Rift
5
0
Fork 0
mirror of https://github.com/DepthFirstDisclosures/Nginx-Rift.git synced 2026-05-16 11:07:44 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
CVE-2026-42945_RCE_in_Nginx.../README.md
Markakd 1a2df3957b update readme
2026-05-13 11:40:55 -07:00

35 lines
2.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# NGINX Rift
RCE Proof of concept for **CVE-2026-42945**, a critical heap buffer overflow in NGINX's `ngx_http_rewrite_module` introduced in 2008. The bug enables unauthenticated remote code execution against servers using `rewrite` and `set` directives.
This vulnerability — along with three other memory corruption issues (CVE-2026-42946, CVE-2026-40701, CVE-2026-42934) — was autonomously discovered by [depthfirst](https://depthfirst.com)'s security analysis system after a single click of onboarding the NGINX source.
> Want to find issues like this in your own code? Try the same system at **<https://depthfirst.com/open-defense>**.
## The Bug (TL;DR)
NGINX's script engine uses a two-pass process: first compute the required buffer size, then copy data in. The `is_args` flag is set on the main engine when a `rewrite` replacement contains `?`, but the length-calculation pass runs on a freshly zeroed sub-engine. So:
- **Length pass** sees `is_args = 0` → returns raw capture length.
- **Copy pass** sees `is_args = 1` → calls `ngx_escape_uri` with `NGX_ESCAPE_ARGS`, expanding each escapable byte to 3 bytes.
The copy overflows the undersized heap buffer with attacker-controlled URI data. Exploitation uses cross-request heap feng shui to corrupt an adjacent `ngx_pool_t`'s `cleanup` pointer (sprayed via POST bodies, since URI bytes can't contain null bytes), redirecting it to a fake `ngx_pool_cleanup_s` invoking `system()` on pool destruction.
Read more about this bug in our [technical write-up](https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability).
## Affected & Fixed Versions
| Product | Affected | Fixed in |
| --- | --- | --- |
| NGINX Open Source | 0.6.27 1.30.0 | 1.31.0, 1.30.1 |
| NGINX Plus | R32 R36 | R36 P4, R35 P2, R32 P6 |
Full vendor advisory: <https://my.f5.com/manage/s/article/K000160932>
## Usage
Tested on Ubuntu 24.04.3 LTS.
1. `./setup.sh` — build the container.
2. `docker compose -f env/docker-compose.yml up` — start the vulnerable NGINX server.
3. `python3 poc.py --shell` — pop a shell.
Reference in a new issue View git blame Copy permalink