Server-side software is the backbone of the Internet. Despite the omnipresence of this type of software systems and the huge impact of their potential compromise, modern vulnerability research in this area is scarce. The industry of web servers specifically is highly consolidated, with just three software systems running nearly all of the internet: Apache httpd, nginx, and Microsoft IIS. Even an N-day security vulnerability in just one of these systems can potentially execute arbitrary code on millions of internet servers at a privileged level.
All web server engines share a large common attack surface, based on several widely adopted internet protocols, common third party software, and architectural primitives. The first part of this presentation will have a recap of the dominant internet technologies and protocols, with an abstraction of the common attack surface of various web server engines, and their common vulnerability classes.
nginx web server powers around 1/3 of all servers on the Internet. It is the preferred web server engine of top ranking sites and is steadily growing, due to being compact, robust, fast, with a solid security record. The second part of this presentation will briefly discuss nginx architecture, certain interesting low-level properties, and known bugs.
nginx JavaScript module (njs) is a relatively new and actively developing module, whose purpose is to provide system administrators with additional flexibility in their web server configuration. As all incoming server requests are filtered through njs code, it opens an additional attack surface to nginx software. The third part of this presentation will focus on njs: its architecture, vulnerability tendencies, and low-level primitives that may be useful in exploit development. This part will include a discussion of a few remote code execution bugs that were discovered by the author in early 2019.
Please stay tuned.
