Finding Privilege Escalation Flaws in Linux

Published: 2015-01-20
Last Updated: 2015-01-21 14:27:39 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

We often tend to ignore privilege escalation flaws. In order to take advantage of these vulnerabilities, an attacker first needs to have access to the system itself. But in particular for systems that many users have access to, it can be difficult to monitor them all for compromised credentials. Systems with web servers often suffer from web application flaws that can be used to execute code as the web server, which then can be used to gain root access via a privilege escalation flaw.

From a defensive point of view, the problem with privilege escalation flaws is that there are so many of them, and they are not limited to "bugs" that can be patched. Frequently configuration mistakes can give rise to privilege escalation flaws. Auditing your system for these problems should be done regularly to avoid privilege escalation flaws.

For example, a user may create a cron job, and then have root execute the cron job, but the file remains writable by the user. Someone gaining access to the system as this user could now easily escalate privileges by modifying the script.

Luckily, there are a number of scripts that make it easier for us to find these problems:

unix-privesc-check: Very comprehensive script that works on many Unix flavors, not just Linux. Read the "ToDo" section at the beginning as it lists other areas that should be checked. The output is send to stdout, and you better pipe it to a file as it is very verbose even in default mode.

http://pentestmonkey.net/tools/audit/unix-privesc-check

LinEnum: A more limited script as far as privilege escaltion goes, but it does summarize other configuration options nicely.

https://github.com/rebootuser/LinEnum

​linuxprivchecker: Similar to LinEnum in that it summarizes system configuration information, not just privilege escalation issues.

http://www.securitysift.com/download/linuxprivchecker.py

And if you prefer to take a more "manual" approach, or if you need to verify some of the results produced by the scripts, check this very nice cheat sheet:

http://www.rebootuser.com/?p=1623

Any tools I missed? Please let me know!

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
5 comment(s)

Comments

We use several tools also. One you did not mention is diffmon.

We use that coupled with mysqldump against the mysql.users table (and other files) to nightly show us anything that moved (and what exactly the differences are). Configuration is simple and easy.

Very useful for watching changes to any text file:

php.ini
/etc/passwd
apache configurations
/var/spool/crontabs/root

etc. etc.
I find lynis (https://cisofy.com/lynis/) to be a very good tool for checking for configuration-based privilege escalation issues.
Another tool which also detects weak and privilege escalation spots, is open source auditing tool Lynis - https://cisofy.com/lynis/
linuxprivchecker must be good - it appears twice! :)
ninja (http://forkbomb.org/ninja/)
There are packages for Ubuntu and likely Debian.I was able to port it to RHEL5 and 6. It can monitor or even block privilege escalations. Unfortunately, it is getting rather long in the tooth. I discovered it after seeing that Linux didn't really log privilege escalations due to such an exploit such as the CVE-2010-3081 exploit exploit-db.com (EDB-ID:15024) which affects RHEL5.5 (x86-64).

Diary Archives