Finding Privilege Escalation Flaws in Linux
We often tend to ignore privilege escalation flaws. In order to take advantage of these vulnerabilities, an attacker first needs to have access to the system itself. But in particular for systems that many users have access to, it can be difficult to monitor them all for compromised credentials. Systems with web servers often suffer from web application flaws that can be used to execute code as the web server, which then can be used to gain root access via a privilege escalation flaw.
From a defensive point of view, the problem with privilege escalation flaws is that there are so many of them, and they are not limited to "bugs" that can be patched. Frequently configuration mistakes can give rise to privilege escalation flaws. Auditing your system for these problems should be done regularly to avoid privilege escalation flaws.
For example, a user may create a cron job, and then have root execute the cron job, but the file remains writable by the user. Someone gaining access to the system as this user could now easily escalate privileges by modifying the script.
Luckily, there are a number of scripts that make it easier for us to find these problems:
unix-privesc-check: Very comprehensive script that works on many Unix flavors, not just Linux. Read the "ToDo" section at the beginning as it lists other areas that should be checked. The output is send to stdout, and you better pipe it to a file as it is very verbose even in default mode.
http://pentestmonkey.net/tools/audit/unix-privesc-check
LinEnum: A more limited script as far as privilege escaltion goes, but it does summarize other configuration options nicely.
https://github.com/rebootuser/LinEnum
linuxprivchecker: Similar to LinEnum in that it summarizes system configuration information, not just privilege escalation issues.
http://www.securitysift.com/download/linuxprivchecker.py
And if you prefer to take a more "manual" approach, or if you need to verify some of the results produced by the scripts, check this very nice cheat sheet:
http://www.rebootuser.com/?p=1623
Any tools I missed? Please let me know!
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
We use that coupled with mysqldump against the mysql.users table (and other files) to nightly show us anything that moved (and what exactly the differences are). Configuration is simple and easy.
Very useful for watching changes to any text file:
php.ini
/etc/passwd
apache configurations
/var/spool/crontabs/root
etc. etc.
Anonymous
Jan 20th 2015
9 years ago
Anonymous
Jan 20th 2015
9 years ago
Anonymous
Jan 21st 2015
9 years ago
Anonymous
Jan 21st 2015
9 years ago
There are packages for Ubuntu and likely Debian.I was able to port it to RHEL5 and 6. It can monitor or even block privilege escalations. Unfortunately, it is getting rather long in the tooth. I discovered it after seeing that Linux didn't really log privilege escalations due to such an exploit such as the CVE-2010-3081 exploit exploit-db.com (EDB-ID:15024) which affects RHEL5.5 (x86-64).
Anonymous
Jan 21st 2015
9 years ago