CVE CyberSecurity Database News

CVE-2024-7347 - Critical NGINX mp4 Module Vulnerability Explained (With Exploit Example)

Poster -

NGINX is the backbone of much of the web, powering millions of sites. But sometimes, even the best software stumbles. In March 2024, a new vulnerability—CVE-2024-7347—was found in NGINX’s ngx_http_mp4_module that could let attackers crash your web server using malicious MP4 files. This post breaks down CVE-2024-7347 in clear, simple terms, includes code snippets, shares references, and explains how the exploit works in real-world settings.

What is CVE-2024-7347?

CVE-2024-7347 is a memory over-read vulnerability affecting NGINX Open Source and NGINX Plus when they are compiled and configured with the ngx_http_mp4_module. This module allows you to serve media—like videos—in MP4 format, with advanced features such as seeking and progressive download.

If an attacker uploads or requests a crafted MP4 file, NGINX might read past the buffer it's supposed to, which often results in a worker crash. This is called a _Denial-of-Service (DoS)_ scenario because the web server process gets terminated, disrupting service.

Quick Facts

* Vulnerability: Memory over-read/DoS via malformed MP4.
* Module affected: ngx_http_mp4_module
* Exploit impact: Crash NGINX worker processes (no code execution).
* Conditions: NGINX must be compiled with the module and actually use the mp4 directive in configuration.
* Risk: Attackers can reliably kill your nginx workers with specific MP4 files.

How Does the Vulnerability Work?

The ngx_http_mp4_module processes MP4 files so users can seek to different positions in a video. To do this, it parses and modifies the video’s MP4 structure (known as "atoms" or "boxes").

If an attacker crafts an MP4 file where a certain atom header claims to be longer than the actual file size, NGINX trusts this value. When it tries to parse this fake atom, it might over-read past the intended buffer boundary, touching memory it shouldn’t. This over-read generally leads to a segmentation fault, crashing that particular worker.

Key point: No attacker-controlled code runs on the server, but the web service goes down (at least that worker) until it’s restarted.

You use the mp4 directive in your nginx.conf to serve MP4 files.

If you never use NGINX for video, you’re probably safe!

Sample NGINX Configuration

location /video/ {
    mp4;
    root /var/www/media;
}

*If your config has mp4; like above within a location block, you’re at risk.*

curl http://your-nginx.com/video/evil.mp4

And let’s say evil.mp4 has a malformed moov atom (the MP4 metadata chunk) reporting a bogus length. When NGINX parses it, it reads outside of the real data, hits invalid memory, and the process crashes.

Proof-of-Concept: Malicious MP4 Creation

To actually demonstrate the bug, a real MP4 binary is needed, beyond the scope of this post, but here’s pseudocode for the relevant exploit technique:

import struct

def create_evil_mp4():
    # MP4 atoms start with a 4-byte length and a 4-byte type
    # Let's lie about the size!
    f = open('evil.mp4', 'wb')
    # Write 'ftyp' atom (header)
    f.write(struct.pack(">I4s", 24, b'ftyp'))
    f.write(b'isom\x00\x00\x02\x00isomiso2')
    # Write 'moov' atom, length in header much larger than real body
    f.write(struct.pack(">I4s", xFFFFFFF, b'moov'))  # Absurdly large
    f.write(b'\x00' * 100)  # Not enough data
    f.close()

create_evil_mp4()
# NGINX parses /video/evil.mp4, overreads memory, crashes worker

NGINX Security Advisory:

NGINX CVE-2024-7347

CVE Database Entry:

CVE Details for CVE-2024-7347

Module Docs:

Official ngx_http_mp4_module

What Should You Do?

- 1. Patch First: If you use the MP4 module, update NGINX to the latest patched version (see official bulletins and package managers).
- 2. Remove the mp4 Directive: If you don’t need on-the-fly MP4 features, comment out or remove mp4; from your config.
- 3. Restrict Uploads: Don’t allow untrusted users to upload/serve video content through your server.

TL;DR

- CVE-2024-7347 lets people with access to your MP4 endpoint crash your NGINX worker with a purposely bad MP4 file.

Patch ASAP and check your configs!

Stay safe. And always keep your servers patched and your configs simple!


Want more? Dive into the NGINX Security Notices: https://nginx.org/en/security_advisories.html

Timeline

Published on: 08/14/2024 15:15:31 UTC
Last modified on: 08/20/2024 19:25:17 UTC