🚨 Hey, so that nginx RCE targeting instances with the unnamed rewrite rule?
-
Hey, so that nginx RCE targeting instances with the unnamed rewrite rule? => It's extremely common.That exact rule is the official recommended config from Yoast for their XML sitemaps on NGINX.
From their help page:
rewrite ^/([^/]+?)-sitemap([0-9]+)?.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;
This is copy-pasted verbatim by millions of WP sites running Yoast SEO (5+ million active installs) and also by sites using other SEO plugins that followed Yoast's lead. (1/3)
-
Hey, so that nginx RCE targeting instances with the unnamed rewrite rule? => It's extremely common.
That exact rule is the official recommended config from Yoast for their XML sitemaps on NGINX.
From their help page:
rewrite ^/([^/]+?)-sitemap([0-9]+)?.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;
This is copy-pasted verbatim by millions of WP sites running Yoast SEO (5+ million active installs) and also by sites using other SEO plugins that followed Yoast's lead. (1/3)
The EasyEngine tutorial, StackPointer, WPMU DEV, Stack Overflow, and the WordPress.org forums all reference this same pattern.
This can easily be chained with one (or both) of two recent and trivial-to-exploit local privilege escalation Linux vulns.
In the words of @krypt3ia :
we doomed.
HOWEVER: I threw together a small Bash script that tries to detect whether a given conf file or directory of nginx configs has vulnerable directives. You can find it at:
-
The EasyEngine tutorial, StackPointer, WPMU DEV, Stack Overflow, and the WordPress.org forums all reference this same pattern.
This can easily be chained with one (or both) of two recent and trivial-to-exploit local privilege escalation Linux vulns.
In the words of @krypt3ia :
we doomed.
HOWEVER: I threw together a small Bash script that tries to detect whether a given conf file or directory of nginx configs has vulnerable directives. You can find it at:
PRs/helpful suggestions/credit to it from skeezy cyber vendors who steal it and put it in their products without compensation is welcome/encouraged (3/3)
-
PRs/helpful suggestions/credit to it from skeezy cyber vendors who steal it and put it in their products without compensation is welcome/encouraged (3/3)
I still had a lingering nginx box with a legacy WP config (and un-upgrade-able nginx)I had to find and fix, hence the script.
-
R relay@relay.mycrowd.ca shared this topic
M mttaggart@infosec.exchange shared this topic
-
I still had a lingering nginx box with a legacy WP config (and un-upgrade-able nginx)I had to find and fix, hence the script.
OH, and FWIW the White House runs WordPress on nginx and likely has a plugin running that causes the weak nginx rewrite rule to be needed.
-
R relay@relay.infosec.exchange shared this topic
