Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Gi7w0rm Profile picture
Gi7w0rm
@Gi7w0rm
Threat Intelligence Analyst | See my Linktree for other socials | In case I post false intel, contact me! Support me: https://t.co/5WgDqr0K8p 🇪🇺🇩🇪🇺🇦🌈

Apr 9, 2022, 10 tweets

#Nginx 1.18 exploit in the wild!

#infosec #0day #exploit

@campuscodi

Some more information on the #Nginx #0day by @_Blue_hornet as shared via DM and published here with permission:

Update on the #Nginx 1.18 #0day:
Around 20 minutes ago @_Blue_hornet started a Github Repo arround the exploit:
github.com/AgainstTheWest…

Some more hints on the Exploit:
- Related to #Spring4Shell
- Created by #BrazenEagle
- Related to ldap-auth demon used together with #Nginx

@_Blue_hornet Another Update containing a potential temporary #workaround has been pushed to Github just now.
Also confirming that #ldap-auth daemon is indeed vulnerable. Also mentioning that @Atlassian accounts are affected.

#0day #ldap #injection #nginx

@campuscodi So as this Tweet is getting some reach, some might be asking themselves how @_Blue_hornet operates.
@PogoWasRight did an interview with them arround 6 days ago and I think it is worth a read :)

Link:
databreaches.net/an-interview-w…

@_Blue_hornet @Atlassian For those who want/need even more info, here is an internal message by ATW on this #exploit and its capabilities.
Seems ATW is unsure for now if it is an #LDAP issue or if its only affecting #Nginx

Ok, as this tweet get's way more exposure then I am used to, please keep the following in mind:
Everything I share is based on claims by @_Blue_hornet .
I have not seen a PoC, I have not seen a successfull exploitation and I do not know if any of this is true.
I do not warrant!

@_Blue_hornet @Atlassian So, in an unexpected turn of events @_Blue_hornet went dark.
They suggested its forever.
I am unsure how to procede now.
A lot of noise I willingly shared as I trusted in them and now this.
For the time beeing, I will quote my tweet from before:

So it seems @_Blue_hornet has updated the Github Repo several times since my last tweet.
Nothing too important in my eyes, but mentioning it just in case:
github.com/AgainstTheWest…

At least shows that he/they are still maintaining the Repo :)

As several people have pointed out, it seems @nginx has released an article about the vulnerability described above. The article points out ways to mitigate and states that ONLY THE #Nginx REFERENCE IMPLEMENTATION IS AFFECTED.

nginx.com/blog/addressin…

#nginxday #0day

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling