Nginx Privilege Escalation Vulnerability on Debian-based Linux

  • Source:Sangfor Security Center
  • Date Published:2016-11-22



    On November 15th, 2016, Dawid Golunski discovered that there is privilege escalation vulnerability (CVE-2016-1247) in Nginx. When Nginx creates log directories with insecure permissions, the vulnerability may be exploited by malicious local attackers to escalate their privileges from Nginx/Web user(www-data) to root. Nginx web server package on Debian-based distributions such as Debian or Ubuntu will be affected.


    First, attackers must gain access to www-data account, and then use scripts to replace the log files with malicious files. When Nginx daemon re-opens the log files, attackers can escalate privileges to root. 

    The following information will display if the vulnerability is successfully exploited:


    Based on analysis results, this vulnerability could be easily exploited by attackers who have gained access to www-data account and have waited for Nginx daemon to re-open the log files. The exploit waits for Nginx server to be restarted or receive a USR1 signal. However, the fact is that Nginx will send USR1 signal at 6:25am every day through logrotate script which calls do_rotate() function, as shown by the last line in the above picture. Thus, attackers can get a root shell automatically in 24h at most just by letting the exploit run till 6:25am. 


    After attacking a web application hosted on Nginx server, attackers can take advantage of this vulnerability to escalate default privilege(www-data) to root, so as to fully control the system. 


    Except the following versions and later versions, all other versions have been affected: 

    Debian: Fixed in Nginx 1.6.2-5+deb8u3

    Ubuntu: Fixed in the following Nginx versions: 

        Ubuntu 16.04 LTS: 1.10.0-0ubuntu0.16.04.3

        Ubuntu 14.04 LTS: 1.4.6-1ubuntu3.6

        Ubuntu 16.10: 1.10.1-0ubuntu1.1



    This vulnerability has been publicized in official security announcements of Debian and Ubuntu. Therefore, you can perform system updates to update Nginx to the latest version:


    Legalhackers advisory: