New Nginx Exploit
New Nginx Exploit
新型 Nginx 漏洞
NGINX Rift RCE Proof of concept for CVE-2026-42945, a critical heap buffer overflow in NGINX’s ngx_http_rewrite_module introduced in 2008. The bug enables unauthenticated remote code execution against servers using rewrite and set directives.
NGINX Rift 是针对 CVE-2026-42945 的远程代码执行(RCE)概念验证。这是一个存在于 NGINX ngx_http_rewrite_module 模块中的严重堆缓冲区溢出漏洞,该漏洞自 2008 年起便已存在。该漏洞允许未经身份验证的攻击者对使用 rewrite 和 set 指令的服务器执行远程代码。
This vulnerability — along with three other memory corruption issues (CVE-2026-42946, CVE-2026-40701, CVE-2026-42934) — was autonomously discovered by depthfirst’s security analysis system after a single click of onboarding the NGINX source. Want to find issues like this in your own code? Try the same system at https://depthfirst.com/open-defense. 该漏洞以及其他三个内存损坏问题(CVE-2026-42946、CVE-2026-40701、CVE-2026-42934)均由 depthfirst 的安全分析系统在接入 NGINX 源码后,通过一键操作自动发现。想要在您自己的代码中查找此类问题吗?请访问 https://depthfirst.com/open-defense 试用该系统。
The Bug (TL;DR) NGINX’s script engine uses a two-pass process: first compute the required buffer size, then copy data in. The is_args flag is set on the main engine when a rewrite replacement contains ?, but the length-calculation pass runs on a freshly zeroed sub-engine.
漏洞原理(简述):NGINX 的脚本引擎采用两阶段处理过程:首先计算所需的缓冲区大小,然后执行数据拷贝。当 rewrite 替换内容包含 ? 时,主引擎会设置 is_args 标志,但长度计算阶段是在一个新初始化的子引擎上运行的。
So: Length pass sees is_args = 0 → returns raw capture length. Copy pass sees is_args = 1 → calls ngx_escape_uri with NGX_ESCAPE_ARGS, expanding each escapable byte to 3 bytes. The copy overflows the undersized heap buffer with attacker-controlled URI data.
因此:长度计算阶段读取到的 is_args 为 0,返回原始捕获长度。而拷贝阶段读取到的 is_args 为 1,从而调用带有 NGX_ESCAPE_ARGS 的 ngx_escape_uri 函数,将每个可转义字节扩展为 3 个字节。该拷贝操作导致攻击者控制的 URI 数据溢出了过小的堆缓冲区。
Exploitation uses cross-request heap feng shui to corrupt an adjacent ngx_pool_t’s cleanup pointer (sprayed via POST bodies, since URI bytes can’t contain null bytes), redirecting it to a fake ngx_pool_cleanup_s invoking system() on pool destruction. Read more about this bug in our technical write-up.
漏洞利用采用了跨请求堆风水(heap feng shui)技术,破坏了相邻的 ngx_pool_t 的清理指针(通过 POST 请求体进行喷射,因为 URI 字节不能包含空字节),将其重定向到一个伪造的 ngx_pool_cleanup_s,从而在内存池销毁时触发 system() 调用。更多关于此漏洞的详情,请阅读我们的技术报告。
Affected & Fixed Versions
受影响及修复版本
| Product | Affected | Fixed in |
|---|---|---|
| NGINX Open Source | 0.6.27 – 1.30.0 | 1.31.0, 1.30.1 |
| NGINX Plus | R32 – R36 | R36 P4, R35 P2, R32 P6 |
Full vendor advisory: https://my.f5.com/manage/s/article/K000160932 厂商完整公告:https://my.f5.com/manage/s/article/K000160932
Usage
使用方法
Tested on Ubuntu 24.04.3 LTS. 已在 Ubuntu 24.04.3 LTS 上测试。
./setup.sh— build the container../setup.sh— 构建容器。docker compose -f env/docker-compose.yml up— start the vulnerable NGINX server.docker compose -f env/docker-compose.yml up— 启动存在漏洞的 NGINX 服务器。python3 poc.py --shell— pop a shell.python3 poc.py --shell— 获取 Shell。