Attackers are able to escalate their privileges and compromise the system as a result
Intruders who have managed to compromise an application hosted on nginx server and gained access to www-data account can easily exploit this vulnerability. Attackers can escalate their privileges, obtain root privileges and compromise the system as a result.
Nginx web server installed from default repositories on Debian-based distributions (Debian, Ubuntu, etc.) creates a system log in the following directory and with the following permissions:
[email protected]:~# ls -ld /var/log/nginx/
drwxr-x— 2 www-data adm 4096 Nov 12 22:32 /var/log/nginx/
[email protected]:~# ls -ld /var/log/nginx/*
-rw-r—– 1 www-data adm 0 Nov 12 22:31 /var/log/nginx/access.log
-rw-r–r– 1 root root 0 Nov 12 22:47 /var/log/nginx/error.log
As the /var/log/nginx directory is owned by www-data, the attackers who have hacked into nginx server and nginx-hosted application can replace the log files with a symlink to an arbitrary file. Upon the server startup / restart, the logs would be written to the file pointed to by the symlink. As a result, attackers obtain root privileges.
Nginx is the world’s third most popular web server and mail proxy server running on Unix-like operating systems. According to Netcraft, as of November last year, the number of websites served by nginx exceeds 200 million. Nginx is used by many resources such as VKontake, Facebook, Instagram, Mail.ru, etc.