Nginx Privilege Escalation Vulnerability on Debian-based Linux

22/11/2016 13:25:05
#

Summary

DESCRIPTION

On November 15th, 2016, Dawid Golunski discovered that there is privilege escalation vulnerability (CVE-2016-1247) in Nginx. When Nginx creates log directories with insecure permissions, the vulnerability may be exploited by malicious local attackers to escalate their privileges from Nginx/Web user(www-data) to root. Nginx web server package on Debian-based distributions such as Debian or Ubuntu will be affected.

VULNERABILITY EXPLOITATION

First, attackers must gain access to www-data account, and then use scripts to replace the log files with malicious files. When Nginx daemon re-opens the log files, attackers can escalate privileges to root. 

The following information will display if the vulnerability is successfully exploited:

blob.png

Based on analysis results, this vulnerability could be easily exploited by attackers who have gained access to www-data account and have waited for Nginx daemon to re-open the log files. The exploit waits for Nginx server to be restarted or receive a USR1 signal. However, the fact is that Nginx will send USR1 signal at 6:25am every day through logrotate script which calls do_rotate() function, as shown by the last line in the above picture. Thus, attackers can get a root shell automatically in 24h at most just by letting the exploit run till 6:25am. 

IMPACTS

After attacking a web application hosted on Nginx server, attackers can take advantage of this vulnerability to escalate default privilege(www-data) to root, so as to fully control the system. 

SYSTEMS AFFECTED

Except the following versions and later versions, all other versions have been affected:

Debian: Fixed in Nginx 1.6.2-5+deb8u3

Ubuntu: Fixed in the following Nginx versions: 

Ubuntu 16.04 LTS: 1.10.0-0ubuntu0.16.04.3

Ubuntu 14.04 LTS: 1.4.6-1ubuntu3.6

Ubuntu 16.10: 1.10.1-0ubuntu1.1

Solution

This vulnerability has been publicized in official security announcements of Debian and Ubuntu. Therefore, you can perform system updates to update Nginx to the latest version: 

    https://www.debian.org/security/2016/dsa-3701 

    https://www.ubuntu.com/usn/usn-3114-1/

REFERENCE

Legalhackers advisory:

    http://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html

Our Social Networks

Global Service Center:

COPYRIGHT © 2000-2017 SANGFOR TECHNOLOGIES CO., LTD. ALL RIGHTS RESERVED.