W3 Total Cache Nginx – Root Escalation (opens in new tab)

This would make sense if it created those directories, but IMHO it should fail to start if the path exists and isn't owned by www process. The function that does chown() is even called ngx_create_paths().

2 more replies

discordianfish9y ago· 1 in thread

This is a very interesting attack vector. There are many situations where less privileged users can inject stuff into an nginx config.

TarqDirtyToMe9y ago

I'd be interested to see if any web-based control panels are vulnerable in a similar way. All of the client_*_temp_path directives are valid in http,server, and location contexts so you have a lot of flexibility there.

nodesocket9y ago· 1 in thread

What other NGINX directive paths besides "client_body_temp_path" actually change the owner on-startup?

Seems like NGINX logic should be, if the path exists, it must have correct permissions already. If not, just fail to start.

TarqDirtyToMe9y ago

All of the client_*_temp_path behave this way so you can actually change multiple files with one payload.

I am sure there are other ones but I have not had a chance to investigate further. Another commented mentioned this particular problem is in ngx_create_paths so that would be a good place to start looking.

The key is to find paths that happen in the master process, not the workers.

deckiedan9y ago· 1 in thread

Ouch.

Does SElinux mitigate this? App armour? Dockerised WP and NGiNX?

ibotty9y ago

SELinux does, I don't know about App armour. Dockerized NGiNX will give you root in the container, which will give you root on the host easily. If you run NGiNX as non-root-container, you are better off: You can't escalate. You run as non-root before, and stay non-root.

j / k navigate · click thread line to collapse

20 comments