Alisa Esage

nginx njs exploitation

Abstract

Server-side software is the backbone of the Internet. Despite the omnipresence of this type of software systems and the huge impact of their potential compromise, modern vulnerability research in this area is scarce. The industry of web servers specifically is highly consolidated, with just three software systems running nearly all of the internet: Apache httpd, nginx, and Microsoft IIS. Even an N-day security vulnerability in just one of these systems can potentially execute arbitrary code on millions of internet servers at a privileged level.

All web server engines share a large common attack surface, based on several widely adopted internet protocols, common third party software, and architectural primitives. The first part of this presentation will have a recap of the dominant internet technologies and protocols, with an abstraction of the common attack surface of various web server engines, and their common vulnerability classes.

nginx web server powers around 1/3 of all servers on the Internet. It is the preferred web server engine of top ranking sites and is steadily growing, due to being compact, robust, fast, with a solid security record. The second part of this presentation will briefly discuss nginx architecture, certain interesting low-level properties, and known bugs.

nginx JavaScript module (njs) is a relatively new and actively developing module, whose purpose is to provide system administrators with additional flexibility in their web server configuration. As all incoming server requests are filtered through njs code, it opens an additional attack surface to nginx software. The third part of this presentation will focus on njs: its architecture, vulnerability tendencies, and low-level primitives that may be useful in exploit development. This part will include a discussion of a few remote code execution bugs that were discovered by the author in early 2019.

BIO

Alisa Esage (Alisa Shevchenko) is a security vulnerability researcher and hacker, reverse engineer, and a business woman. As a researcher, she is specialized on target-invariant zero-day vulnerability discovery and exploit development, and low-level system internals.

Alisa has discovered numerous zero-day security bugs in a wide variety of modern software systems; was awarded with Security Bounties from major software vendors (Microsoft, Google, Mozilla, Oracle, Schneider Electric); won an international hacking competition "Critical Infrastructure Attack" ("Hack the smart city"); presented at several international security conferences; and wrote a Phrack article dedicated to exploitation of a remote code execution vulnerability and undocumented internals of a Microsoft software component. Currently her research interests lie in the space of hypervisors, firmware, low-level hacking, and novel hardware architectures.

As an entrepreneur, Alisa has been playing with various business and non-profit ventures since 2009, and created the first hackerspace in Russia. She was featured in Forbes Russia as a young self-made entrepreneur in December 2015, and appeared in the Grazia UK magazine in January 2017.

Alisa publishes some of her technical Research Notes at: re.alisa.sh.