Worker processes are forked from the master, which means they receive the same memory layout. You get unlimited crashes against the worker. There's probably a way to exploit that to get a read oracle. At the very least this is a reliable denial of service.

Depth First's full writeup: https://depthfirst.com/research/nginx-rift-achieving-nginx-r...

jcalvinowens 6 hours ago | parent [-]

Sure, but I think the github README ought to make it more clear the POC as-is doesn't work against nginx on any current Linux distro.

▲

gavinsyancey 5 hours ago | parent | next [-]

So you're not vulnerable to script-kiddies running the published PoC. Still probably vulnerable to to a sufficiently-motivated attacker.

	▲	jcalvinowens 2 hours ago \| parent [-]
		I doubt it: aslr is not as easy to break on modern Linux as everyone in this thread wants to pretend it is. And anybody who actually cares so much about security that a compromised web frontend is the end of the world should be doing other things which would additionally mitigate this... I know they claimed they can bypass it: if that's true, they should publish it. The forking nature of nginx is uniquely bizarre and vulnerable, and I strongly suspect that's the only way they're pulling it off. I feel like that's the interesting thing here, not the buffer overrun.

▲

6 hours ago | parent | prev [-]

[deleted]