Re: Nginx (Debian-based + Gentoo distros) - Root Privilege Escalation [CVE-2016-1247 UPDATE]

[Carlos Alberto Lopez Perez <clopez () igalia com>]

On 13/01/17 10:35, Dawid Golunski wrote:
> Attackers who have managed to replace the log file with a symlink would
> have to wait for nginx daemon to re-open the log files. 
> For this to happen nginx service needs to be restarted, or the daemon needs
> to receive a USR1 process signal. 
>
> However, the USR1 is sent automatically on default installations of 
> Debian-based systems through logrotate script which calls do_rotate() 
> function as can be seen in the files quoted below:
>
>
> --------[ /etc/logrotate.d/nginx ]--------
>
> /var/log/nginx/*.log {
>       daily
>       missingok
>       rotate 52
>       compress
>       delaycompress
>       notifempty
>       create 0640 www-data adm
>       sharedscripts
>       prerotate
>               if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
>                       run-parts /etc/logrotate.d/httpd-prerotate; \
>               fi \
>       endscript
>       postrotate
>               invoke-rc.d nginx rotate >/dev/null 2>&1
>       endscript
> }
>
> ------------------------------------------

This looks to me like an issue on the logrotate side rather than on the nginx one..

If I have:

/var/log/nginx/error.log -> /etc/ld.so.preload

Why does logrotate "create 0640 www-data adm" over /var/log/nginx/error.log
removes and creates /etc/ld.so.preload ??? That is shocking!

It should do that on /var/log/nginx/error.log, by removing that symlink
and creating a new empty standard file on /var/log/nginx/error.log !!

Dont you agree??

Attachment: signature.asc
Description: OpenPGP digital signature