oss-sec mailing list archives
Re: Nginx (Debian-based + Gentoo distros) - Root Privilege Escalation [CVE-2016-1247 UPDATE]
From: Thomas Deutschmann <whissi () gentoo org>
Date: Fri, 13 Jan 2017 20:55:42 +0100
On 2017-01-13 19:26, Carlos Alberto Lopez Perez wrote:
/me happy to know that logrotate has a sane behaviour and avoids trying to rotate symlinks.
But don't forget hardlinks ...
So the issue is than when in var/log/nginx/ there are standard logs (non symlinked) that need to be rotated (appart from the malicious symlinked one), then logrotate will rotate those ones, finally running the post-rotate script that send SIGURSR1 to the nginx pid.
Just to be sure that we don't misunderstand each other: Dawid's advisory only uses logrotate because this is present on most servers and guarantees privilege escalation on a given time which makes it easier to understand. But escalation happens via nginx master process which is running as root and changes owner of existing files. Without logrotate you can still exploit any system when you can write to the directory used by nginx for storing log files (and don't forget your vhosts!). The attacker only have to wait an undefined amount of time, i.e. for anyone causing nginx to chown files again. On systems running nginx it is not the question *if* it will happen but only *when*. -- Regards, Thomas Deutschmann
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Nginx (Debian-based + Gentoo distros) - Root Privilege Escalation [CVE-2016-1247 UPDATE] Dawid Golunski (Jan 13)
- Re: Nginx (Debian-based + Gentoo distros) - Root Privilege Escalation [CVE-2016-1247 UPDATE] Carlos Alberto Lopez Perez (Jan 13)
- Re: Nginx (Debian-based + Gentoo distros) - Root Privilege Escalation [CVE-2016-1247 UPDATE] Daniel Kahn Gillmor (Jan 13)
- Re: Nginx (Debian-based + Gentoo distros) - Root Privilege Escalation [CVE-2016-1247 UPDATE] Thomas Deutschmann (Jan 13)
- Re: Nginx (Debian-based + Gentoo distros) - Root Privilege Escalation [CVE-2016-1247 UPDATE] Carlos Alberto Lopez Perez (Jan 13)
- Re: Nginx (Debian-based + Gentoo distros) - Root Privilege Escalation [CVE-2016-1247 UPDATE] Thomas Deutschmann (Jan 13)
- Re: Nginx (Debian-based + Gentoo distros) - Root Privilege Escalation [CVE-2016-1247 UPDATE] Carlos Alberto Lopez Perez (Jan 13)