Headline
CVE-2020-19692: Heap based buffer overflow in njs_module.c · Issue #187 · nginx/njs
Buffer Overflow vulnerabilty found in Nginx NJS v.0feca92 allows a remote attacker to execute arbitrary code via the njs_module_read in the njs_module.c file.
env
ubuntu 18.04
njs 0feca92
gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)
bug
So, actually this is a logic bug, happened under an really interesting circumstance.
the buggy function is the njs_module_read in the file njs_module.c
if (fstat(fd, &sb) == -1) { goto fail; }
text->length = nxt\_length(NJS\_MODULE\_START);
if (S\_ISREG(sb.st\_mode) && sb.st\_size) {
text->length += sb.st\_size;
}
text->length += nxt\_length(NJS\_MODULE\_END);
text->start = nxt\_mp\_alloc(vm->mem\_pool, text->length);
if (text->start == NULL) {
goto fail;
}
p = nxt\_cpymem(text->start, NJS\_MODULE\_START, nxt\_length(NJS\_MODULE\_START));
n = read(fd, p, sb.st\_size);
as you can see, it read the sb.st_size and sb.st_mode with function fstat. However if we dont provide a common .js file. the S_ISREG(sb.st_mode) will be 0. text->length wont be updated.
and read(fd, p, sb.st_size); still read sb.st_size bytes into the p. p is on the heap. So we can overflow to the next chunk on the heap…
poc