Is nginx vulnerable to the Hash Table Vulnerability (n.runs AG)?

http://www.securityweek.com/hash-table-collision-attacks-could-trigger-ddos-massive-scale

Without going through the way nginx parses an incoming request, I’m
unsure
if nginx isn’t vulnerable to this, because of the availability to grab
the
value of a GET parameter via
http://wiki.nginx.org/HttpCoreModule#.24arg_PARAMETER. My hope is that
especially if an $arg_PARAMETER isn’t used in the config, it is not
vulnerable because it wouldn’t even attempt to parse the parameters, but
I
can’t be sure.

Can anyone speak to this?

Hello!

On Sat, Dec 31, 2011 at 11:37:39AM -0700, Justin H. wrote:

Can anyone speak to this?
It’s not vulnerable even if $arg_* is used.

Maxim D.

Thank you for the confirmation - I read through the parts of code in
question but wanted to get a second opinion.

How about the lua and/or the perl modules? It looks as if they are
using the nginx functions?

Sent from my iPhone

On Sun, Jan 1, 2012 at 1:58 PM, Justin H. [email protected] wrote:

Thank you for the confirmation - I read through the parts of code in
question but wanted to get a second opinion.

How about the lua and/or the perl modules? It looks as if they are
using the nginx functions?

The current released versions of ngx_lua does have this vulnerability
in its ngx.req.get_uri_args() and ngx.req.get_post_args() functions.
I’ve already worked out a patch for these two functions in ngx_lua’s
git max-args branch here:

https://github.com/chaoslawful/lua-nginx-module/commit/75876

With this patch, both of these functions will only parse 100 query
args at most. And one can specify a custom maximum number of args
parsed with an optional function argument (default to 100) and
enforcing unlimited parsing by specifying a zero number.

This patch (as well as this branch) will be merged into the master
branch in 3 Jan.

Best,
-agentzh

On 1 January 2012 17:20, agentzh [email protected] wrote:

I’ve already worked out a patch for these two functions in ngx_lua’s
branch in 3 Jan.
It would probably be a good idea at that point, to finally make a
release of v0.3.1 of the ngx_lua module as with about 45 “Release
Candidates”, it must already hold some record :slight_smile:

On Sun, Jan 1, 2012 at 2:37 AM, Justin H. [email protected] wrote:

http://www.securityweek.com/hash-table-collision-attacks-could-trigger-ddos-massive-scale

Without going through the way nginx parses an incoming request, I’m unsure
if nginx isn’t vulnerable to this, because of the availability to grab the
value of a GET parameter
viahttp://wiki.nginx.org/HttpCoreModule#.24arg_PARAMETER. My hope is that
especially if an $arg_PARAMETER isn’t used in the config, it is not
vulnerable because it wouldn’t even attempt to parse the parameters, but I
can’t be sure.

Well, the $arg_PARAMETER variable is not implemented with hash tables
at all :wink: It scans the URI query string at every invocation :slight_smile:

Regards,
-agentzh

On Sun, Jan 01, 2012 at 05:31:46PM +0300, Nginx U. wrote:

I’ve already worked out a patch for these two functions in ngx_lua’s
branch in 3 Jan.

It would probably be a good idea at that point, to finally make a
release of v0.3.1 of the ngx_lua module as with about 45 “Release
Candidates”, it must already hold some record :slight_smile:

+1.


Sergey A. Osokin
[email protected]
[email protected]

On Sun, Jan 1, 2012 at 10:20 PM, agentzh [email protected] wrote:

enforcing unlimited parsing by specifying a zero number.

This patch (as well as this branch) will be merged into the master
branch in 3 Jan.

I’ve also added similar protections to ngx.req.get_headers():

http://wiki.nginx.org/HttpLuaModule#ngx.req.get_headers

All of these changes have been released as ngx_lua 0.3.1rc45:

https://github.com/chaoslawful/lua-nginx-module/tags

and also included in the ngx_openresty bundle’s devel version 1.0.10.39:

http://openresty.org/#Download

Feedback welcome!

Best,
-agentzh

On 4 January 2012 14:48, agentzh [email protected] wrote:

I’ve also added similar protections to ngx.req.get_headers():

http://wiki.nginx.org/HttpLuaModule#ngx.req.get_headers

All of these changes have been released as ngx_lua 0.3.1rc45:
Nice one.

Thanks.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs