
PoC Exploit for Nginx packaging on Debian-based distros [video] - dawid_golunski
https://legalhackers.com/videos/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
======
rlpb
This was fixed in Ubuntu in October:
[https://www.ubuntu.com/usn/usn-3114-1/](https://www.ubuntu.com/usn/usn-3114-1/)

------
merb
well I guess for a webserver gaining any privileges is already bad. of course
privilege escalation is bad, especially on client machine's, but on servers?
well if you are an attacker from the outside and already have a shell your
security is done anyway.

of course as said that won't apply to shared hosting (with shell) and client
machines.

------
eikenberry
I just looked at my current Debian Jessie system and it is not as described.
That is /var/log/nginx is not owned by www-data, it is owned by root. It was
freshly installed not to long ago and was only configured with my ansible
setup. So I'm pretty sure that was the default.

~~~
eikenberry
I think I know why... it was fixed a few weeks ago.

[https://www.debian.org/security/2016/dsa-3701](https://www.debian.org/security/2016/dsa-3701)

------
w8rbt
An LSM such as SELinux, Tomoyo or AppArmor could mitigate this.

~~~
eikenberry
I was just researching these a little while ago and hadn't heard of Tomoyo.
Turns out it is included in the mainline kernel and is pretty simple to use.

[http://tomoyo.osdn.jp/](http://tomoyo.osdn.jp/)

On debian you just need to enable it via a kernel param and install tomoyo-
tools to get going.

~~~
w8rbt
I like Tomoyo better than any of the others. I find it the easiest to
configure and reason about.

------
module0000
Well um, this is disturbing. Fun times!

