Vulnerability in Nginx allows for root privileges in the system

Attackers are able to escalate their privileges and compromise the system as a result

Security researcher Dawid Golunski states that vulnerability in nginx (CVE-2016-1247) allows local attackers to obtain root privileges in the system.

Intruders who have managed to compromise an application hosted on nginx server and gained access to www-data account can easily exploit this vulnerability. Attackers can escalate their privileges, obtain root privileges and compromise the system as a result.

Nginx web server installed from default repositories on Debian-based distributions (Debian, Ubuntu, etc.) creates a system log in the following directory and with the following permissions:

root@xenial:~# ls -ld /var/log/nginx/

drwxr-x— 2 www-data adm 4096 Nov 12 22:32 /var/log/nginx/

root@xenial:~# ls -ld /var/log/nginx/*

-rw-r—– 1 www-data adm         0 Nov 12 22:31 /var/log/nginx/access.log

-rw-r–r– 1 root     root    0 Nov 12 22:47 /var/log/nginx/error.log

As the /var/log/nginx directory is owned by www-data, the attackers who have hacked into nginx server and nginx-hosted application can replace the log files with a symlink to an arbitrary file. Upon the server startup / restart, the logs would be written to the file pointed to by the symlink. As a result, attackers obtain root privileges.

Nginx is the world’s third most popular web server and mail proxy server running on Unix-like operating systems. According to Netcraft, as of November last year, the number of websites served by nginx exceeds 200 million. Nginx is used by many resources such as VKontake, Facebook, Instagram, Mail.ru, etc.