On November 15th, 2016, Dawid Golunski discovered that there is privilege escalation vulnerability (CVE-2016-1247) in Nginx. When Nginx creates log directories with insecure permissions, the vulnerability may be exploited by malicious local attackers to escalate their privileges from Nginx/Web user(www-data) to root. Nginx web server package on Debian-based distributions such as Debian or Ubuntu will be affected.
First, attackers must gain access to www-data account, and then use scripts to replace the log files with malicious files. When Nginx daemon re-opens the log files, attackers can escalate privileges to root.
The following information will display if the vulnerability is successfully exploited:
Based on analysis results, this vulnerability could be easily exploited by attackers who have gained access to www-data account and have waited for Nginx daemon to re-open the log files. The exploit waits for Nginx server to be restarted or receive a USR1 signal. However, the fact is that Nginx will send USR1 signal at 6:25am every day through logrotate script which calls do_rotate() function, as shown by the last line in the above picture. Thus, attackers can get a root shell automatically in 24h at most just by letting the exploit run till 6:25am.
After attacking a web application hosted on Nginx server, attackers can take advantage of this vulnerability to escalate default privilege(www-data) to root, so as to fully control the system.
Except the following versions and later versions, all other versions have been affected:
Debian: Fixed in Nginx 1.6.2-5+deb8u3
Ubuntu: Fixed in the following Nginx versions:
Ubuntu 16.04 LTS: 1.10.0-0ubuntu0.16.04.3
Ubuntu 14.04 LTS: 1.4.6-1ubuntu3.6
Ubuntu 16.10: 1.10.1-0ubuntu1.1
This vulnerability has been publicized in official security announcements of Debian and Ubuntu. Therefore, you can perform system updates to update Nginx to the latest version: