Comment by danslo

21 hours ago

This one's pretty bad but there are some preconditions.

Requires a "rewrite" directive with a questionmark in the replacement string, and then a subsequent "set" directive that references a regex capture group (e.g. set $var $1).

Also the POC assumes ASLR is disabled.

7 comments

danslo

Reply
dsr_  20 hours ago

Does any distro disable ASLR by default?

If you were to do it by hand, nginx doesn't come to mind as a likely candidate.

  • Bender  18 hours ago

    Not the person you asked but I am not aware of any that disable ASLR by default, though most default to 1 which only enables ASLR for applications compiled to enable it vs 2 forcing it on or 3 on some distributions that use a hardened kernel. Rather than trusting any assumptions I prefer to run checksec [1] on every OS I touch. It's an old script but works just as well today as it did long ago. One may find that some applications are missing some basic hardening compile time options. The script is not an exhaustive test of all modern hardening options. Example of ASLR being forced on:

        # sysctl kernel.randomize_va_space
    kernel.randomize_va_space = 2

    Typical invocation:

        checksec.sh --proc-all

    This invocation will list the status of RELRO, Stack Canary, NX/PaX, PIE of all running daemons. My CachyOS installation for example is missing Stack Canaries for all daemons.

        checksec.sh --fortify-proc 732
    * Process name (PID)                         : sshd (732)
    * FORTIFY_SOURCE support available (libc)    : Yes
    * Binary compiled with FORTIFY_SOURCE support: N

    Some additional compile time hardening options [2] and discussion [3]. Even Rust apparently has some compile time security related options.

    [1] - https://news.ycombinator.com/item?id=43533516

codedokode  15 hours ago

I think "rewrite" is rarely used nowadays? Isn't it something from old days of PHP and Apache?