exozyme/exozyme
7
12
Fork 0
Code Issues 4 Pull requests Projects Releases 39 Wiki Activity

Vulnerability disclosure: nginx can follow symlinks to sensitive files owned by the http user #206

New issue
Closed
opened 2023-07-10 20:27:39 +00:00 by a · 2 comments
a commented 2023-07-10 20:27:39 +00:00
Owner
Copy link

I know this write-up is a bit late, but several people wanted to learn more about this vulnerability, so here it is.

On 2023-06-14, @ersei discovered that because nginx follows symlinks, if you create a website in /srv/http/pages like this:

ln -s /var/log/nginx/access.log /srv/http/pages/exploit/access.log

On the filesystem, the log is only accessible by the http user. But when you visit https://exploit.exozy.me/access.log, nginx, which runs as the http user will follow the symlink and serve the entire contents of the access log. This exploit works for any files owned by the http user, which also include nginx stuff in /proc. This is obviously very bad.

The solution is to add disable_symlinks if_not_owner to the global /etc/nginx/nginx.conf config file which makes nginx stop following symlinks if the owner of the symlink and owner of the target file are different. This means that you would have to create the symlink as the http user, but that would mean the http user is already compromised. I could have also chosen to disable following symlinks completely, but sometimes symlinks are useful. This solution broke Nextcloud, so I had to manually add disable_symlinks off to Nextcloud's nginx config. It also broke https://fortune.exozy.me since that website is a symlink to /etc/motd.d/fortune, so I replaced it with a hard link. Hard links are not vulnerable to this exploit because in order to create a hard link to a file, you have to be the same user as that file.

The moral of the story is that if your web server is serving user content, you must disable arbitrary symlinks. I'm guessing nginx has following symlinks enabled by default since usually people only serve trusted content.

Anyways, thanks @ersei for finding and reporting this!

I know this write-up is a bit late, but several people wanted to learn more about this vulnerability, so here it is. On 2023-06-14, @ersei discovered that because nginx follows symlinks, if you create a website in `/srv/http/pages` like this: ``` ln -s /var/log/nginx/access.log /srv/http/pages/exploit/access.log ``` On the filesystem, the log is only accessible by the `http` user. But when you visit https://exploit.exozy.me/access.log, nginx, which runs as the `http` user will follow the symlink and serve the entire contents of the access log. This exploit works for any files owned by the `http` user, which also include nginx stuff in `/proc`. This is obviously very bad. The solution is to add `disable_symlinks if_not_owner` to the global `/etc/nginx/nginx.conf` config file which makes nginx stop following symlinks if the owner of the symlink and owner of the target file are different. This means that you would have to create the symlink as the `http` user, but that would mean the `http` user is already compromised. I could have also chosen to disable following symlinks completely, but sometimes symlinks are useful. This solution broke Nextcloud, so I had to manually add `disable_symlinks off` to Nextcloud's nginx config. It also broke https://fortune.exozy.me since that website is a symlink to `/etc/motd.d/fortune`, so I replaced it with a hard link. Hard links are not vulnerable to this exploit because in order to create a hard link to a file, you have to be the same user as that file. The moral of the story is that if your web server is serving user content, you must disable arbitrary symlinks. I'm guessing nginx has following symlinks enabled by default since usually people only serve trusted content. Anyways, thanks @ersei for finding and reporting this!
👍 2
a added the
security
 label 2023-07-10 20:27:39 +00:00
a closed this issue 2023-07-10 20:27:50 +00:00
nvpie commented 2023-08-18 10:10:40 +00:00
Copy link

How come it does not have CVE for it?

How come it does not have CVE for it?
a commented 2023-08-30 16:21:29 +00:00
Author
Owner
Copy link

How come it does not have CVE for it?

Probably because this is intended behavior. Both Nextcloud and Mastodon use this feature. And if you only serve trusted content, it's not really a problem at all. I guess the real problem is that there should be greater awareness about needing to disable following symlinks if you do serve untrusted content.

> How come it does not have CVE for it? Probably because this is intended behavior. Both Nextcloud and Mastodon use this feature. And if you only serve trusted content, it's not really a problem at all. I guess the real problem is that there should be greater awareness about needing to disable following symlinks if you do serve untrusted content.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
v9.0
v8.8
v8.7
v8.6
v8.5
v8.4
v8.3
v8.2
v8.1
v8.0
v7.10
v7.9
v7.8
v7.7
v7.6
v7.5
v7.4
v7.3
v7.2
v7.1
v7.0
v6.1
v6.0
v5.1
v5.0
v4.2
v4.1
v4.0
v3.0
v2.5
v2.4
v2.3
v2.2
v2.1
v2.0
v1.3
v1.2
v1.1
v1.0
v0.3-beta
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
security

Security vulnerability

  
wontfix

This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
invalid
question
security
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: exozyme/exozyme#206
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?