CVE-2022-41742 The NGINX Open Source versions before 1.23.2, 1.22.1, R2 P1, and R1 P1 have a vulnerability in the ngx_http_mp4_module module that might allow a local attacker to execute arbitrary code.

The attacker must be able to serve the malicious file to the victim via HTTP. The following example demonstrates the attack. In the following example, the attacker can trigger processing of a malicious MP4 file to obtain memory access, or to cause a worker process crash. stream type="audio/mp4;codecs=h264"> buffer size="1" duration="30" rate="1"> source src="/path/to/malicious/file.mp4" /> /buffer> /stream> In order to exploit the vulnerability, the attacker needs to be able to host a file via HTTP. An attacker can host a malicious MP4 file via HTTP by creating an HTTP server that responds to a specially crafted request with the mp4 directive. An example of vulnerable code is as follows. upstream worker { # When enabled, worker processes will spawn when receiving # a stream request. worker_processes on; } server { # When enabled, the server will accept stream requests. # The upstream directive specifies the location # of the worker process. upstream worker { # When enabled, worker processes will spawn when receiving # a stream request. worker_processes on; } } The attacker can trigger HTTP requests to the server to cause the server to accept the malicious MP4 file, as follows. upstream worker { # When enabled, worker processes will spawn when receiving # a stream request. worker_processes on; } server { # When enabled, the server will accept stream

Worker Processes and Memory Access

A vulnerability exists in the MP4 file parser of the Apache HTTP Server. The vulnerability allows an attacker to cause memory accesses or a worker process crash by sending specially crafted MP4 files to a victim.

Timeline

Published on: 10/19/2022 22:15:00 UTC
Last modified on: 11/23/2022 02:15:00 UTC

References