Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 13 Jan 2017 16:02:22 +0100
From: Thomas Deutschmann <whissi@...too.org>
To: oss-security@...ts.openwall.com
Subject: Re: Nginx (Debian-based + Gentoo distros) - Root
 Privilege Escalation [CVE-2016-1247 UPDATE]

Hi,

Carlos Alberto Lopez Perez wrote:
>> --------[ /etc/logrotate.d/nginx ]--------
>>
>> /var/log/nginx/*.log {
>> 	daily
>> 	missingok
>> 	rotate 52
>> 	compress
>> 	delaycompress
>> 	notifempty
>> 	create 0640 www-data adm
>> 	sharedscripts
>> 	prerotate
>> 		if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
>> 			run-parts /etc/logrotate.d/httpd-prerotate; \
>> 		fi \
>> 	endscript
>> 	postrotate
>> 		invoke-rc.d nginx rotate >/dev/null 2>&1
>> 	endscript
>> }
>>
>> ------------------------------------------
> 
> This looks to me like an issue on the logrotate side rather than on the nginx one..
> 
> If I have:
> 
> /var/log/nginx/error.log -> /etc/ld.so.preload
> 
> Why does logrotate "create 0640 www-data adm" over /var/log/nginx/error.log
> removes and creates /etc/ld.so.preload ??? That is shocking!
> 
> It should do that on /var/log/nginx/error.log, by removing that symlink
> and creating a new empty standard file on /var/log/nginx/error.log !!
> 
> Dont you agree??

No, please read the advisory again.

Please notice that logrotate doesn't do some magic. The config tells
logrotate to do that (logrotate itself BTW ignores symlinked files since
v3.8.2 [1]).

It is important to understand that logrotate is only used in that
example to trigger nginx behavior. And attacker could also just wait for
the system administrator to do similar actions with nginx (just a
question of time).

So the real "problem" is that the nginx master process runs as root and
will change ACLs of existing files which allows an user to escalate
privileges if that user can create files nginx will touch.

See https://trac.nginx.org/nginx/ticket/376 for more details.

Now, given that multiple maintainers created the same problem, one could
argue that such a change in permissions is unexpected. Nevertheless it
is documented, so I don't blame upstream.


See also:
=========
[1]
https://github.com/logrotate/logrotate/commit/9f19aba75079a61a913eb06748cf9aa83802c24c


-- 
Regards,
Thomas Deutschmann




Download attachment "signature.asc" of type "application/pgp-signature" (952 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.