Nginx Local Privilege Escalation Vulnerability Technical Analysis and Solution

On November 15, 2016 (local time), legalhackers.com released an advisory about a privilege escalation vulnerability, assigned CVE-2016-1247, found in the Nginx server. Nginx web server packaging on Debian-based distributions, such as Debian or Ubuntu, was found to allow creating log directories with insecure permissions. Attackers could exploit this security issue to escalate their privileges from Nginx/web user to root.For details, click the following link:http://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html

What Is Nginx?

Nginx (pronounced “engine x”) is a web server. It can act as a reverse proxy server for HTTP, HTTPS, SMTP, POP3, and IMAP protocols, as well as a load balancer and an HTTP cache. Nginx was originally developed to fill the needs of large web portals and the search engine Rambler in Russia. Released under the terms of a BSD-like license, Nginx runs on such operating systems as UNIX, GNU/Linux, BSD, Mac OS X, Solaris, and Microsoft Windows. (Translated from an article about Nginx on https://zh.wikipedia.org/wiki/Nginx.)

Vulnerability Verification

Following is the PoC code written by Dawid Golunski.

Vulnerable and Fixed Packages

  1. Debian
Figure 1 Vulnerable and fixed Debian packages

Figure 1 Vulnerable and fixed Debian packages

  1. Ubuntu

Ubuntu has fixed the following versions:

Figure 2 Fixed Ubuntu versions

Figure 2 Fixed Ubuntu versions

Vulnerability Analysis

Nginx, after being installed, creates the Nginx log directory (…/log/nginx) with user permissions. Therefore, during system operation, attackers can manipulate files in this directory. Permissions for this directory are shown in the following figure.

Figure 3 Permissions for the /log/nginx directory

Figure 3 Permissions for the /log/nginx directory

With user permissions for the /log/nginx directory, local users can change log files in this directory with a symlink to an arbitrary file. Besides, Nginx performs write operations on files linked to logs when restarting or receiving a USR1 process signal. Because of these, attacker can escalate their privileges.

After replacing log files with a symlink, attackers need to wait for the Nginx daemon to reopen these log files. For this to happen, Nginx needs to be restarted or the daemon needs to receive a USR1 process signal.

However, on a Debian-based system, the USR1 signal is sent automatically through the logrotate script that calls the do_rotate() function.

Figure 4 logrotate script

Figure 4 logrotate script

Figure 5 do_rotate() function

Figure 5 do_rotate() function

The logrotate script is executed on default system installations at 6:25 a.m. every day.

Figure 6 Scheduled task

Figure 6 Scheduled task

Therefore, attackers can escalate their privileges within 24 hours. Following is an analysis of the PoC. Parameters are set as follows:

Figure 7 Parameters in the PoC

Figure 7 Parameters in the PoC

The program first checks whether the path to error.log typed by the user is correct.

Figure 8 Check of the path to error.log

Figure 8 Check of the path to error.log

Compile the privilege escalation file as follows:

Figure 9 Compilation of the privilege escalation file

Figure 9 Compilation of the privilege escalation file

Prepare the backdoor shell:

Figure 10 Backdoor shell

Figure 10 Backdoor shell

Delete error.log and create a symlink to point to /etc/ld.so.preload:

Figure 11 Creation of a symlink

Figure 11 Creation of a symlink

After all is ready, wait for error.log to reopen.

Figure 12 Wait for error.log to reopen

Figure 12 Wait for error.log to reopen

Change access permissions for /etc/ld.so.preload:

Figure 13 Change of permissions for /etc/ld.so.preload

Figure 13 Change of permissions for /etc/ld.so.preload

Escalate privileges via the SUID binary:

Figure 14 Privilege escalated via SUID

Figure 14 Privilege escalated via SUID

Check for the rootshell:

Figure 15 Check for the rootshell

Figure 15 Check for the rootshell

Execute the rootshell:

Figure 16 Execution of the rootshell

Figure 16 Execution of the rootshell

The final execution result is as follows:

Figure 17 Execution result

Figure 17 Execution result

Key points for triggering the vulnerability:

  1. The /var/log/nginx directory is owned by a non-root user who has the write permission.
  2. As the /etc/ld.so.preload file needs to be written into the PoC, the write permission for this file is required.
Figure 18 Write of privilege escalation functions into /etc/ld.so.preload

Figure 18 Write of privilege escalation functions into /etc/ld.so.preload

Figure 19 Execution failure caused by inability to write /etc/ld.so.preload

Figure 19 Execution failure caused by inability to write /etc/ld.so.preload

Vendor Solutions

Debian and Ubuntu have fixed this vulnerability. Users are advised to upgrade to a version not affected by this vulnerability. Download links are as follows:

  • Debian

Nginx package

https://sources.debian.net/src/nginx/

  • Ubuntu 16.10

Nginx package 1.10.1-0ubuntu1.1

https://launchpad.net/ubuntu/+source/nginx/1.10.1-0ubuntu1.1

  • Ubuntu 16.04 LTS

Nginx package 1.10.0-0ubuntu0.16.04.3

https://launchpad.net/ubuntu/+source/nginx/1.10.0-0ubuntu0.16.04.3

  • Ubuntu 14.04 LTS

Nginx package 1.4.6-1ubuntu3.6

https://launchpad.net/ubuntu/+source/nginx/1.4.6-1ubuntu3.6

Recommended Solutions

  • Products

 

  • Use the emergency vulnerability detection service of NSFOCUS Cloud by downloading the detection script to check the vulnerability. The service is available at the following link:

https://cloud.nsfocus.com/#/krosa/views/initcdr/productandservice?service_id=1026

  • Authorize NSFOCUS RSAS to check services.
  • Services

 

  • Short-term service: Contact NSFOCUS engineers for onsite handling (penetration testing + emergency response) to ensure that risk points are immediately eliminated in the network and the event impact is minimized. After the handling, an event analysis report is provided.
  • Mid-term service: NSFOCUS provides 3- to 6-month risk monitoring and preventive maintenance inspection (PMI) services to eradicate risks and prevent events from recurring.
  • Long-term service: NSFOCUS provides industry-specific risk mitigation solutions (threat intelligence + attack traceback + professional security service).

Statement

==========

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

============

NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.

For more information about NSFOCUS, please visit:

http://www.nsfocusglobal.com.

NSFOCUS, NSFOCUS IB, and NSFOCUS, INC. are trademarks or registered trademarks of NSFOCUS, Inc. All other names and trademarks are property of their respective firms.

发表评论