Nginx UI Backup Tampering Vulnerability Allowing Malicious Configuration Injection

A vulnerability in Nginx UI's backup restore mechanism prior to version 2.3.4 allows attackers to manipulate encrypted backup archives and inject harmful configuration during the restoration process. The issue arises because the backup format lacks a trusted integrity root, enabling modification of the encrypted contents without detection. In certain configurations, this could lead to arbitrary command execution on the host.

Impact

Exploitation of this vulnerability could result in unauthorized configuration changes, insertion of backdoors into Nginx configurations, execution of arbitrary commands through manipulated settings, and a complete compromise of the Nginx UI instance.

Reproduction

To reproduce this vulnerability, first generate a backup using Nginx UI. Extract the backup to obtain the 'nginx-ui.zip' archive, which contains the 'hash_info.txt' file and the encrypted backup files. Decrypt the archive using the backup security token provided in the response headers. After decryption, modify the 'app.ini' file to include malicious commands, such as executing a bash shell. Re-encrypt the modified files, ensuring to update the 'hash_info.txt' with the new SHA-256 hashes to reflect the changes. Upload the tampered backup through the Nginx UI restore interface. Despite potential integrity warnings, the system will accept the backup and apply the injected configuration, thereby executing the injected commands on the host.

Remediation

Users are advised to update to Nginx UI version 2.3.4, where this vulnerability has been patched.