Published: 15/09/2009 Updated: 19/12/2009
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
VMScore: 755
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 up to and including 0.5.37, 0.6.x prior to 0.6.39, 0.7.x prior to 0.7.62, and 0.8.x prior to 0.8.15 allows remote malicious users to execute arbitrary code via crafted HTTP requests.

Vulnerability Trend


#!/usr/bin/env python # # Exploit Title: nginx heap corruption # Date: 08/26/2010 # Author: aaron conole <apconole@yahoocom> # Software Link: nginxorg/download/nginx-0638targz # Version: <= 0638, <= 0761 # Tested on: BT4R1 running nginx 0638 locally # CVE: 2009-2629 # # note: this was written and tested against BT4 T ...

Github Repositories

Zero-day and N-day security vulnerability notes, analysis, and proof-of-concepts

Disclosures Zero-day and N-day security vulnerability notes, analysis, and proof-of-concepts List CVE-2009-2629: nginx http module Buffer Underflow Remote Code Execution Vulnerability Patch analysis, testcase, notes CVE-2013-0007: Microsoft XML Core Services 4-6 Use-after-free Vulnerability Vulnerability analysis, proof-of-concept exploit Phrack paper CVE-2014-4060: Microsoft W

Recent Articles

Osama’s home videos and The ‘Advertising’ Botnet
Securelist • Dmitry Bestuzhev • 08 May 2011

Yesterday the US government released some home videos of Osama Bin Laden in his Pakistani hideout. Screenshots from the video were used for malicious blackhat SEO via Google Images. Many legitimate nginx-based Web sites were attacked and exploited by taking advantage of the CVE-2009-2629 vulnerability. The compromised sites were injected with the following script:

It leads to a malicious .cc domain site with an exploit for the CVE-2010-1885 vulnerability (the same vulnerability used...