Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
danslo 6 hours ago

This one's pretty bad but there are some preconditions.

Requires a "rewrite" directive with a questionmark in the replacement string, and then a subsequent "set" directive that references a regex capture group (e.g. set $var $1).

Also the POC assumes ASLR is disabled.

argee 6 hours ago | parent | next [-]

Example: https://github.com/DepthFirstDisclosures/Nginx-Rift/blob/mai...

codedokode 38 minutes ago | parent | prev | next [-]

I think "rewrite" is rarely used nowadays? Isn't it something from old days of PHP and Apache?

dsr_ 6 hours ago | parent | prev [-]

Does any distro disable ASLR by default?

If you were to do it by hand, nginx doesn't come to mind as a likely candidate.

Bender 3 hours ago | parent [-]

Not the person you asked but I am not aware of any that disable ASLR by default, though most default to 1 which only enables ASLR for applications compiled to enable it vs 2 forcing it on or 3 on some distributions that use a hardened kernel. Rather than trusting any assumptions I prefer to run checksec [1] on every OS I touch. It's an old script but works just as well today as it did long ago. One may find that some applications are missing some basic hardening compile time options. The script is not an exhaustive test of all modern hardening options. Example of ASLR being forced on:

    # sysctl kernel.randomize_va_space
    kernel.randomize_va_space = 2
Typical invocation:

    checksec.sh --proc-all
This invocation will list the status of RELRO, Stack Canary, NX/PaX, PIE of all running daemons. My CachyOS installation for example is missing Stack Canaries for all daemons.

    checksec.sh --fortify-proc 732
    * Process name (PID)                         : sshd (732)
    * FORTIFY_SOURCE support available (libc)    : Yes
    * Binary compiled with FORTIFY_SOURCE support: N
Some additional compile time hardening options [2] and discussion [3]. Even Rust apparently has some compile time security related options.

[1] - https://www.trapkit.de/tools/checksec/ # some Linux repositories already contain "checksec".

[2] - https://best.openssf.org/Compiler-Hardening-Guides/Compiler-...

[3] - https://news.ycombinator.com/item?id=43533516