Hi,
This PoC isn't working because the included Docker image will retrieve a commit (98fc3bb78) from the Nginx version that already has the patch (1.31.0).
However, I've already rebuilt a new container image with the latest version of nginx (1.30.0) before the patch, and the PoC still doesn't work. My test environment meets the ASLR disabled condition on BOTH enviroments: HOST and CONTAINER
cat /proc/sys/kernel/randomize_va_space = 0
docker exec -it nginx_poc_container_id cat /proc/sys/kernel/randomize_va_space = 0
and stiil not working, keeps not find crash on nginx confs:
[*] Waiting for nginx on 127.0.0.1:19321...
[+] Connected.
[+] All candidates tried — no crash detected.
[+] All candidates tried — no crash detected.
[+] All candidates tried — no crash detected.
[+] All candidates tried — no crash detected.
[+] All candidates tried — no crash detected.
I've tested many possibilities (including adding a docker with nginx backend for support so the response isn't empty) and it still doesn't work. Therefore, I can't test in my production environment (via Ansible) to see if I'm vulnerable or not, because I have MANY VPS with different configurations.
If you could help me, shed some light on the project, or review it, that would be excellent.
Best,
Hi,
This PoC isn't working because the included Docker image will retrieve a commit (98fc3bb78) from the Nginx version that already has the patch (1.31.0).
However, I've already rebuilt a new container image with the latest version of nginx (1.30.0) before the patch, and the PoC still doesn't work. My test environment meets the ASLR disabled condition on BOTH enviroments: HOST and CONTAINER
cat /proc/sys/kernel/randomize_va_space = 0
docker exec -it nginx_poc_container_id cat /proc/sys/kernel/randomize_va_space = 0
and stiil not working, keeps not find crash on nginx confs:
[*] Waiting for nginx on 127.0.0.1:19321...
[+] Connected.
[+] All candidates tried — no crash detected.
[+] All candidates tried — no crash detected.
[+] All candidates tried — no crash detected.
[+] All candidates tried — no crash detected.
[+] All candidates tried — no crash detected.
I've tested many possibilities (including adding a docker with nginx backend for support so the response isn't empty) and it still doesn't work. Therefore, I can't test in my production environment (via Ansible) to see if I'm vulnerable or not, because I have MANY VPS with different configurations.
If you could help me, shed some light on the project, or review it, that would be excellent.
Best,