upvote

points

by nicce15 hours ago |
comments
upvoteby saagarjha3 hours ago|
next
[-]
The idea is that ASLR bypasses are comparatively cheap, so yes, a chain without this is useless, but it's not that hard to find one. Probably much easier than the bug described here.
reply
upvoteby staticassertion3 hours ago|
prev|
next
[-]
Information leaks are not uncommon at all. nginx seems like a good target for them as well (fork + exec == no re-randomize, so you have the ability to reexec your exploit a lot of times to improve stability). edit: Seems that there's already good work in this area, I kinda forgot about brop gosh I'm old https://www.scs.stanford.edu/brop/

I suppose to keep the password analogy together, people reuse passwords all the time, timing attacks exist, etc?

reply
upvoteby nicce2 hours ago|
parent|
[-]
For this particular bug, for that to apply, you need some sort of oracle which tells that you are actually in the same child process that skips re-randomization before you can reduce the entropy. Based on this post, I cannot see that there is stable oracle to tell that?
reply
upvoteby l23k47 hours ago|
prev|
[-]
Anyone even vaguely familiar with exploiting nginx knows that ASLR is a complete non-factor here.
reply
upvoteby zrobotics5 hours ago|
parent|
next
[-]
Bold claim without any provided source. Do you have a link to back up that ASLR is a complete non-factor?
reply
upvoteby l23k43 hours ago|
parent|
[-]
I'm deliberately refraining from giving a ready LLM prompt.

History shows that "meh, ASLR mitigates this" is a vastly bolder claim anyway, so I don't feel much need to defend my position here.

Edit: Even the authors of this poc seem to agree with me https://depthfirst.com/research/nginx-rift-achieving-nginx-r...

reply
upvoteby nicce3 hours ago|
parent|
[-]
> History shows that "meh, ASLR mitigates this" is a vastly bolder claim anyway, so I don't feel much need to defend my position here.

Obviously you need to defend, that is quite generalization there. You need to prove how the vulnerability itself reduces the entropy of ASLR.

The authors don't really give support for that. They just say that they can brute-force it without crashing the whole Nginx. But they don't say how the entropy is reduced. They have zero information where the child process even starts, whether they hit the child, or if it even is the same child. So you should provide us technical and precise reasoning why it is not mitigating?

reply
upvoteby l23k43 hours ago|
parent|
[-]
There are heaps of literature on this exact topic. https://www.researchgate.net/publication/292156221_How_to_Ma...

> You need to prove how the vulnerability itself reduces the entropy of ASLR

Not really? Looks like we have a controlled-length overflow on a fork-based server, a situation where ASLR is known to not be very useful.

reply
upvoteby nicce3 hours ago|
parent|
[-]
> Not really? Looks like we have a controlled-length overflow on a fork-based server, a situation where ASLR is known to not be very useful.

It does not work like that - it has certain pre-condition requirements. You also need a reliable oracle which tells information when you actually hit the child process, whether child crashes and whether you are even in the same child. When you can retrieve this information, you are then removing re-randomization between attempts. That reduces the entropy, but it only helps if remaining search space is small enough. They don't show that they have oracle.

Additionally, for RCE, you need to find libc base and that is randomized alone. Authors just ignored in the post how they got that address. For that, you most likely need the information leak from second vulnerability, even if you can brute force the actual vulnerability.

reply
upvoteby sigmarule5 hours ago|
parent|
prev|
[-]
Could you explain for those who are not? :)
reply