oss-sec mailing list archives
Re: Nginx (Debian-based + Gentoo distros) - Root Privilege Escalation [CVE-2016-1247 UPDATE]
From: Carlos Alberto Lopez Perez <clopez () igalia com>
Date: Fri, 13 Jan 2017 15:00:36 +0100
On 13/01/17 10:35, Dawid Golunski wrote:
Attackers who have managed to replace the log file with a symlink would have to wait for nginx daemon to re-open the log files. For this to happen nginx service needs to be restarted, or the daemon needs to receive a USR1 process signal. However, the USR1 is sent automatically on default installations of Debian-based systems through logrotate script which calls do_rotate() function as can be seen in the files quoted below: --------[ /etc/logrotate.d/nginx ]-------- /var/log/nginx/*.log { daily missingok rotate 52 compress delaycompress notifempty create 0640 www-data adm sharedscripts prerotate if [ -d /etc/logrotate.d/httpd-prerotate ]; then \ run-parts /etc/logrotate.d/httpd-prerotate; \ fi \ endscript postrotate invoke-rc.d nginx rotate >/dev/null 2>&1 endscript } ------------------------------------------
This looks to me like an issue on the logrotate side rather than on the nginx one.. If I have: /var/log/nginx/error.log -> /etc/ld.so.preload Why does logrotate "create 0640 www-data adm" over /var/log/nginx/error.log removes and creates /etc/ld.so.preload ??? That is shocking! It should do that on /var/log/nginx/error.log, by removing that symlink and creating a new empty standard file on /var/log/nginx/error.log !! Dont you agree??
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Nginx (Debian-based + Gentoo distros) - Root Privilege Escalation [CVE-2016-1247 UPDATE] Dawid Golunski (Jan 13)
- Re: Nginx (Debian-based + Gentoo distros) - Root Privilege Escalation [CVE-2016-1247 UPDATE] Carlos Alberto Lopez Perez (Jan 13)
- Re: Nginx (Debian-based + Gentoo distros) - Root Privilege Escalation [CVE-2016-1247 UPDATE] Daniel Kahn Gillmor (Jan 13)
- Re: Nginx (Debian-based + Gentoo distros) - Root Privilege Escalation [CVE-2016-1247 UPDATE] Thomas Deutschmann (Jan 13)
- Re: Nginx (Debian-based + Gentoo distros) - Root Privilege Escalation [CVE-2016-1247 UPDATE] Carlos Alberto Lopez Perez (Jan 13)
- Re: Nginx (Debian-based + Gentoo distros) - Root Privilege Escalation [CVE-2016-1247 UPDATE] Thomas Deutschmann (Jan 13)
- Re: Nginx (Debian-based + Gentoo distros) - Root Privilege Escalation [CVE-2016-1247 UPDATE] Carlos Alberto Lopez Perez (Jan 13)