Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Finding Privilege Escalation Flaws in Linux - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Finding Privilege Escalation Flaws in Linux

We often tend to ignore privilege escalation flaws. In order to take advantage of these vulnerabilities, an attacker first needs to have access to the system itself. But in particular for systems that many users have access to, it can be difficult to monitor them all for compromised credentials. Systems with web servers often suffer from web application flaws that can be used to execute code as the web server, which then can be used to gain root access via a privilege escalation flaw.

From a defensive point of view, the problem with privilege escalation flaws is that there are so many of them, and they are not limited to "bugs" that can be patched. Frequently configuration mistakes can give rise to privilege escalation flaws. Auditing your system for these problems should be done regularly to avoid privilege escalation flaws.

For example, a user may create a cron job, and then have root execute the cron job, but the file remains writable by the user. Someone gaining access to the system as this user could now easily escalate privileges by modifying the script.

Luckily, there are a number of scripts that make it easier for us to find these problems:

unix-privesc-check: Very comprehensive script that works on many Unix flavors, not just Linux. Read the "ToDo" section at the beginning as it lists other areas that should be checked. The output is send to stdout, and you better pipe it to a file as it is very verbose even in default mode.

http://pentestmonkey.net/tools/audit/unix-privesc-check

LinEnum: A more limited script as far as privilege escaltion goes, but it does summarize other configuration options nicely.

https://github.com/rebootuser/LinEnum

​linuxprivchecker: Similar to LinEnum in that it summarizes system configuration information, not just privilege escalation issues.

http://www.securitysift.com/download/linuxprivchecker.py

And if you prefer to take a more "manual" approach, or if you need to verify some of the results produced by the scripts, check this very nice cheat sheet:

http://www.rebootuser.com/?p=1623

Any tools I missed? Please let me know!

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS Munich July 2019

Johannes

3558 Posts
ISC Handler
We use several tools also. One you did not mention is diffmon.

We use that coupled with mysqldump against the mysql.users table (and other files) to nightly show us anything that moved (and what exactly the differences are). Configuration is simple and easy.

Very useful for watching changes to any text file:

php.ini
/etc/passwd
apache configurations
/var/spool/crontabs/root

etc. etc.
FireStorm9

6 Posts
I find lynis (https://cisofy.com/lynis/) to be a very good tool for checking for configuration-based privilege escalation issues.
Micky

1 Posts
Another tool which also detects weak and privilege escalation spots, is open source auditing tool Lynis - https://cisofy.com/lynis/
Michael

1 Posts
linuxprivchecker must be good - it appears twice! :)
patermann

35 Posts
ninja (http://forkbomb.org/ninja/)
There are packages for Ubuntu and likely Debian.I was able to port it to RHEL5 and 6. It can monitor or even block privilege escalations. Unfortunately, it is getting rather long in the tooth. I discovered it after seeing that Linux didn't really log privilege escalations due to such an exploit such as the CVE-2010-3081 exploit exploit-db.com (EDB-ID:15024) which affects RHEL5.5 (x86-64).
jbmoore

11 Posts

Sign Up for Free or Log In to start participating in the conversation!