Successfully reported this slideshow.
Your SlideShare is downloading. ×

Fundamentals of Linux Privilege Escalation

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 44 Ad
Advertisement

More Related Content

Slideshows for you (20)

Advertisement
Advertisement

Fundamentals of Linux Privilege Escalation

  1. 1. Fundamentals of Linux Privilege Escalation
  2. 2. Introduction ❖ Elliott Cutright ❖ Sr. Red Team for a Fortune 10 in Richmond VA ❖ Professional Red Team for 6 years ❖ Linux and Web Applications ❖ Past worked in Threat Intelligence and Systems Admin and a 24 x 7 x 365 DOD SOC
  3. 3. Disclaimer The views and opinions expressed here are those of Elliott Cutright only and in no way represent the views, positions or opinions - expressed or implied - of my employer or anyone else.
  4. 4. Setup ❖ This is NOT how to get in ❖ How do we go from low privileges to high privileges ❖ Webshells, Stolen SSH Keys, etc ❖ We do not know the user's password ❖ Everything in this talk is something I have done or seen in the real world on real production machines; This is not THEORY, it's FACT
  5. 5. Method 1: Exploits
  6. 6. Exploits ❖ Most take advantage of a flaw in the Linux Kernel ❖ Easier because reliable exploit code is widely available ❖ Be careful, if unreliable good chance you will crash system as you might see in the demo ❖ Generally low skill set can achieve grand results
  7. 7. Exploits ❖ Identify OS and Kernel Version ❖ Enumerate tools to build exploit (gcc, python, perl, etc) ❖ Get the exploit to the system ❖ Execute Exploit ❖ … ❖ ROOT
  8. 8. Exploit - ID System ❖ Determine kernel version ❖ uname -a ❖ Linux ubuntu-demo 3.8.0-19-generic #30-Ubuntu SMP Wed May 1 16:36:13 UTC 2013 i686 i686 i686 GNU/Linux ❖ Linux cent-demo 2.6.18-8.el5 #1 SMP Thu Mar 15 19:57:35 EDT 2007 i686 i686 i386 GNU/Linux
  9. 9. Exploit - ID System ❖ OS Release ❖ Ubuntu - cat /etc/lsb-release ❖ DISTRIB_ID=Ubuntu ❖ DISTRIB_RELEASE=13.04 ❖ DISTRIB_CODENAME=raring ❖ DISTRIB_DESCRIPTION="Ubuntu 13.04” ❖ RedHat/CENT - cat /etc/redhat-release ❖ CentOS release 5 (Final)
  10. 10. Exploit - Get the file on the Server ❖ Any means available ❖ curl/wget ❖ NetCat ❖ FTP ❖ SCP/SFTP ❖ SMB ❖ TFTP ❖ Copy/Paste - for source code ❖ DNS TXT Records - for source code
  11. 11. Exploit - Where To Hide It? ❖ Directories starting with a ‘.’ are hidden on Linux Filesystem ❖ /tmp/.nothinghere/exploit.c ❖ /tmp/…/exploit.c ❖ Verify you can run commands from your directory ❖ mount ❖ /dev/vda3 on /tmp type ext4 (rw,noexec)
  12. 12. Exploit - ID Build System ❖ gcc -v ❖ Using built-in specs. ❖ COLLECT_GCC=gcc ❖ Target: i686-linux-gnu ❖ Configured with: ../src/configure …….. ❖ gcc version 4.7.3 (Ubuntu/Linaro 4.7.3-1ubuntu1) ❖ python -V ❖ Python 2.4.3
  13. 13. Exploit - ID Build System ❖ gcc -v ❖ -bash: gcc: command not found ❖ Common on Servers ❖ python -V ❖ -bash: /usr/bin/python: No such file or directory ❖ RARE
  14. 14. Exploit - Building The Exploit ❖ Most exploits have build directions in the headers ❖ Most common method ❖ gcc exploit.c -o exploit ❖ ./exploit
  15. 15. Exploit - Build Local ❖ If GCC is not present, build a VM or VPS with the exact matching kernel and OS (Ex. Ubuntu 13.10 with Kernel 3.8.0-19-generic) ❖ Once build on your local system, move the compiled exploit to your target system ❖ WARNING: This is not the preferred method and can have unexpected results…but may work in a pinch
  16. 16. CVE-2009-2692 - sock_sendpage() exploit https://www.youtube.com/watch?v=65w7ROFbdqc Demo
  17. 17. Protect/Detect ❖ Patching ❖ No Really…Install Patches ❖ Limit locations for code execution ❖ GRSecurity, if you are up to it ❖ You need to be really comfortable with Linux for this one ❖ Adds significant overhead to updating as you have to rebuild for EVERY kernel version
  18. 18. Method 2: File Permissions
  19. 19. World Readable/Writeable ❖ These are files that anyone can read or write ❖ Easy to find ❖ find / -perm -2 ! -type l -ls ❖ My Ubuntu box had 1,681 files and folder and its a basic install of 14.04
  20. 20. Dangers ❖ ANYONE can read or write these files ❖ While that is by design for some files, others it adds a great deal of risk ❖ Config Files ❖ Websites /Application source code ❖ Scripts run by init or cron ❖ Commands/Scripts used by admins
  21. 21. Protect/Detect ❖ World Read/Write is normal part of the filesystem ❖ Issues arise when users/admins/scripts start changing permissions ❖ stop using `chmod 777` please ❖ Audit on a semi-regular basis for overly permissive files and folders
  22. 22. SetUID and SetGID ❖ SetUID - SET User ID upon execution ❖ SetGUID - SET Group ID upon execution ❖ Allows you to run programs as another user upon execution ❖ Generally executed as elevated privilege user (root)
  23. 23. SetUID Risks ❖ Binaries run with elevated privileges can access privileged information ❖ SetUID on ‘ls’ will allow you to list directories you otherwise wouldn’t have rights to ❖ SetUID on ‘vim’ will allow you to edit files you otherwise wouldn’t have rights to
  24. 24. SetUID Risks ❖ Buffer overflow exploits or command injection flaws in SetUID applications will result in the attacker running code with the elevated privileges
  25. 25. Find SetUID ❖ ls -l /bin/ls ❖ -rwxr-xr-x 1 root root 108708 Jan 17 2013 /bin/ls ❖ dir:owner:group:world ❖ ls -al /bin/ping ❖ -rwsr-sr-x 1 root root 34780 Oct 2 2012 /bin/ping
  26. 26. Find SetUID ❖ sudo find / -xdev ( -perm -4000 ) -type f -print0 -exec ls -l {} ; ❖ note: sudo is not required, you just wont be able to check directories you don't have permissions to
  27. 27. Exploiting SetUID ❖ Use the functionality of the tool in unintended ways for elevated privileges (more on this idea later) ❖ Find an application that has public exploit or start fuzzing on your own ❖ Command Injection
  28. 28. Protect/Detect ❖ While setUID is 100% required under normal operations we see admins overusing it ❖ It is not a fix all ❖ Understand the Risk vs Reward when setting setUID on an application; Do audits for these apps
  29. 29. Method 3: Permissive SUDO
  30. 30. SUDO ❖ su do ❖ note: `su` does not mean SuperUser, it is Substitute User ❖ Allows you to run commands as elevated user with your user password rather than a shared root (BAD!) password
  31. 31. /etc/sudoers ❖ Config file for sudo ❖ Limits what users and groups can run what commands ❖ ex: ❖ rootALL=(ALL:ALL) ALL ❖ %sudo ALL=(ALL) NOPASSWD:ALL
  32. 32. /etc/sudoers ❖ Can allow for very granular configurations ❖ User_Alias FULLTIMERS = millert, mikef, dowdy ❖ Host_Alias SERVERS = master, mail, www, ns ❖ Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown ❖ Cmnd_Alias REBOOT = /usr/sbin/reboot ❖ FULLTIMERS ALL = NOPASSWD: ALL ❖ mikef ALL, !SERVERS = ALL
  33. 33. Concerns ❖ With great power, comes great responsibility ❖ sudo will allow you to shoot yourself in the foot ❖ THINK about the commands you allow via sudo
  34. 34. Problems? ❖ Why are these commands an issue? ❖ vi/vim ❖ more/less/cat ❖ echo ❖ nmap
  35. 35. Find Exec Demo
  36. 36. Protect/Detect ❖ Again, Risk vs Reward of allowing sudo ❖ The more specific you can be in config, the better ❖ Know what the application you are allowing CAN do
  37. 37. Method 4: PATH issues
  38. 38. Linux PATH ❖ An environment variable that contains the location of executables ❖ printenv ❖ PATH=/usr/local/rvm/gems/ruby-1.9.3- p448/bin:/usr/local/rvm/gems/ruby-1.9.3- p448@global/bin:/usr/local/rvm/rubies/ruby-1.9.3- p448/bin:/usr/local/rvm/bin:/usr/local/sbin:/usr/local/bin :/usr/sbin:/usr/bin:/sbin:/bin
  39. 39. Linux PATH ❖ ruby -v ❖ ruby 1.9.3p448 (2013-06-27 revision 41675) [i686- linux] ❖ which ruby ❖ /usr/local/rvm/rubies/ruby-1.9.3-p448/bin/ruby
  40. 40. Linux PATH Issues ❖ What would happen if the ‘.’ was prepended to the path? ❖ Where would it look for ruby first? ❖ What if a script was calling ruby? ❖ As root…….
  41. 41. Attack Path Example ❖ Sysadmin has ‘.’ in his path ❖ Email and say you can’t list the files in your home dir ❖ Make bash script called ‘ls’ that sends a reverse shell and hides itself from the admin ❖ Admin logs in as root ❖ Goes to your home dir and runs ls ❖ Shell
  42. 42. ls reverse shell Demo
  43. 43. Protect/Detect ❖ Don't put ‘.’ in your path….just don't ❖ No Risk vs Reward here, Risk will almost always outweigh the reward
  44. 44. Questions? e: elliott.cutright@gmail.com t: @nullthreat

×