Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Fundamentals of
Linux Privilege
Escalation
Introduction
❖ Elliott Cutright
❖ Sr. Red Team for a Fortune 10 in Richmond VA
❖ Professional Red Team for 6 years
❖ Linux...
Disclaimer
The views and opinions expressed here are
those of Elliott Cutright only and in no way
represent the views, pos...
Setup
❖ This is NOT how to get in
❖ How do we go from low privileges to high privileges
❖ Webshells, Stolen SSH Keys, etc
...
Method 1:
Exploits
Exploits
❖ Most take advantage of a flaw in the Linux Kernel
❖ Easier because reliable exploit code is widely available
❖ ...
Exploits
❖ Identify OS and Kernel Version
❖ Enumerate tools to build exploit (gcc, python, perl, etc)
❖ Get the exploit to...
Exploit - ID System
❖ Determine kernel version
❖ uname -a
❖ Linux ubuntu-demo 3.8.0-19-generic #30-Ubuntu
SMP Wed May 1 16...
Exploit - ID System
❖ OS Release
❖ Ubuntu - cat /etc/lsb-release
❖ DISTRIB_ID=Ubuntu
❖ DISTRIB_RELEASE=13.04
❖ DISTRIB_COD...
Exploit - Get the file on the
Server
❖ Any means available
❖ curl/wget
❖ NetCat
❖ FTP
❖ SCP/SFTP
❖ SMB
❖ TFTP
❖ Copy/Paste...
Exploit - Where To Hide It?
❖ Directories starting with a ‘.’ are hidden on Linux
Filesystem
❖ /tmp/.nothinghere/exploit.c...
Exploit - ID Build System
❖ gcc -v
❖ Using built-in specs.
❖ COLLECT_GCC=gcc
❖ Target: i686-linux-gnu
❖ Configured with: ....
Exploit - ID Build System
❖ gcc -v
❖ -bash: gcc: command not found
❖ Common on Servers
❖ python -V
❖ -bash: /usr/bin/pytho...
Exploit - Building The Exploit
❖ Most exploits have build directions in the headers
❖ Most common method
❖ gcc exploit.c -...
Exploit - Build Local
❖ If GCC is not present, build a VM or VPS with the exact
matching kernel and OS (Ex. Ubuntu 13.10 w...
CVE-2009-2692 - sock_sendpage() exploit
https://www.youtube.com/watch?v=65w7ROFbdqc
Demo
Protect/Detect
❖ Patching
❖ No Really…Install Patches
❖ Limit locations for code execution
❖ GRSecurity, if you are up to ...
Method 2:
File Permissions
World Readable/Writeable
❖ These are files that anyone can read or write
❖ Easy to find
❖ find / -perm -2 ! -type l -ls
❖ ...
Dangers
❖ ANYONE can read or write these files
❖ While that is by design for some files, others it adds a
great deal of ri...
Protect/Detect
❖ World Read/Write is normal part of the filesystem
❖ Issues arise when users/admins/scripts start changing...
SetUID and SetGID
❖ SetUID - SET User ID upon execution
❖ SetGUID - SET Group ID upon execution
❖ Allows you to run progra...
SetUID Risks
❖ Binaries run with elevated privileges can access
privileged information
❖ SetUID on ‘ls’ will allow you to ...
SetUID Risks
❖ Buffer overflow exploits or command injection flaws in
SetUID applications will result in the attacker runn...
Find SetUID
❖ ls -l /bin/ls
❖ -rwxr-xr-x 1 root root 108708 Jan 17 2013 /bin/ls
❖ dir:owner:group:world
❖ ls -al /bin/ping...
Find SetUID
❖ sudo find / -xdev ( -perm -4000 ) -type f -print0 -exec ls
-l {} ;
❖ note: sudo is not required, you just wo...
Exploiting SetUID
❖ Use the functionality of the tool in unintended ways for
elevated privileges (more on this idea later)...
Protect/Detect
❖ While setUID is 100% required under normal operations
we see admins overusing it
❖ It is not a fix all
❖ ...
Method 3:
Permissive
SUDO
SUDO
❖ su do
❖ note: `su` does not mean SuperUser, it is Substitute
User
❖ Allows you to run commands as elevated user wit...
/etc/sudoers
❖ Config file for sudo
❖ Limits what users and groups can run what commands
❖ ex:
❖ rootALL=(ALL:ALL) ALL
❖ %...
/etc/sudoers
❖ Can allow for very granular configurations
❖ User_Alias FULLTIMERS = millert, mikef, dowdy
❖ Host_Alias SER...
Concerns
❖ With great power, comes great responsibility
❖ sudo will allow you to shoot yourself in the foot
❖ THINK about ...
Problems?
❖ Why are these commands an issue?
❖ vi/vim
❖ more/less/cat
❖ echo
❖ nmap
Find Exec
Demo
Protect/Detect
❖ Again, Risk vs Reward of allowing sudo
❖ The more specific you can be in config, the better
❖ Know what t...
Method 4:
PATH issues
Linux PATH
❖ An environment variable that contains the location of
executables
❖ printenv
❖ PATH=/usr/local/rvm/gems/ruby-...
Linux PATH
❖ ruby -v
❖ ruby 1.9.3p448 (2013-06-27 revision 41675) [i686-
linux]
❖ which ruby
❖ /usr/local/rvm/rubies/ruby-...
Linux PATH Issues
❖ What would happen if the ‘.’ was prepended to the path?
❖ Where would it look for ruby first?
❖ What i...
Attack Path Example
❖ Sysadmin has ‘.’ in his path
❖ Email and say you can’t list the files in your home dir
❖ Make bash s...
ls reverse shell
Demo
Protect/Detect
❖ Don't put ‘.’ in your path….just don't
❖ No Risk vs Reward here, Risk will almost always
outweigh the rew...
Questions? e: elliott.cutright@gmail.com
t: @nullthreat
Upcoming SlideShare
Loading in …5
×

Fundamentals of Linux Privilege Escalation

9,588 views

Published on

Revision of fundamentals of linux privilege escalation to add protections and decetions

Published in: Internet

Fundamentals of Linux Privilege Escalation

  1. 1. Fundamentals of Linux Privilege Escalation
  2. 2. Introduction ❖ Elliott Cutright ❖ Sr. Red Team for a Fortune 10 in Richmond VA ❖ Professional Red Team for 6 years ❖ Linux and Web Applications ❖ Past worked in Threat Intelligence and Systems Admin and a 24 x 7 x 365 DOD SOC
  3. 3. Disclaimer The views and opinions expressed here are those of Elliott Cutright only and in no way represent the views, positions or opinions - expressed or implied - of my employer or anyone else.
  4. 4. Setup ❖ This is NOT how to get in ❖ How do we go from low privileges to high privileges ❖ Webshells, Stolen SSH Keys, etc ❖ We do not know the user's password ❖ Everything in this talk is something I have done or seen in the real world on real production machines; This is not THEORY, it's FACT
  5. 5. Method 1: Exploits
  6. 6. Exploits ❖ Most take advantage of a flaw in the Linux Kernel ❖ Easier because reliable exploit code is widely available ❖ Be careful, if unreliable good chance you will crash system as you might see in the demo ❖ Generally low skill set can achieve grand results
  7. 7. Exploits ❖ Identify OS and Kernel Version ❖ Enumerate tools to build exploit (gcc, python, perl, etc) ❖ Get the exploit to the system ❖ Execute Exploit ❖ … ❖ ROOT
  8. 8. Exploit - ID System ❖ Determine kernel version ❖ uname -a ❖ Linux ubuntu-demo 3.8.0-19-generic #30-Ubuntu SMP Wed May 1 16:36:13 UTC 2013 i686 i686 i686 GNU/Linux ❖ Linux cent-demo 2.6.18-8.el5 #1 SMP Thu Mar 15 19:57:35 EDT 2007 i686 i686 i386 GNU/Linux
  9. 9. Exploit - ID System ❖ OS Release ❖ Ubuntu - cat /etc/lsb-release ❖ DISTRIB_ID=Ubuntu ❖ DISTRIB_RELEASE=13.04 ❖ DISTRIB_CODENAME=raring ❖ DISTRIB_DESCRIPTION="Ubuntu 13.04” ❖ RedHat/CENT - cat /etc/redhat-release ❖ CentOS release 5 (Final)
  10. 10. Exploit - Get the file on the Server ❖ Any means available ❖ curl/wget ❖ NetCat ❖ FTP ❖ SCP/SFTP ❖ SMB ❖ TFTP ❖ Copy/Paste - for source code ❖ DNS TXT Records - for source code
  11. 11. Exploit - Where To Hide It? ❖ Directories starting with a ‘.’ are hidden on Linux Filesystem ❖ /tmp/.nothinghere/exploit.c ❖ /tmp/…/exploit.c ❖ Verify you can run commands from your directory ❖ mount ❖ /dev/vda3 on /tmp type ext4 (rw,noexec)
  12. 12. Exploit - ID Build System ❖ gcc -v ❖ Using built-in specs. ❖ COLLECT_GCC=gcc ❖ Target: i686-linux-gnu ❖ Configured with: ../src/configure …….. ❖ gcc version 4.7.3 (Ubuntu/Linaro 4.7.3-1ubuntu1) ❖ python -V ❖ Python 2.4.3
  13. 13. Exploit - ID Build System ❖ gcc -v ❖ -bash: gcc: command not found ❖ Common on Servers ❖ python -V ❖ -bash: /usr/bin/python: No such file or directory ❖ RARE
  14. 14. Exploit - Building The Exploit ❖ Most exploits have build directions in the headers ❖ Most common method ❖ gcc exploit.c -o exploit ❖ ./exploit
  15. 15. Exploit - Build Local ❖ If GCC is not present, build a VM or VPS with the exact matching kernel and OS (Ex. Ubuntu 13.10 with Kernel 3.8.0-19-generic) ❖ Once build on your local system, move the compiled exploit to your target system ❖ WARNING: This is not the preferred method and can have unexpected results…but may work in a pinch
  16. 16. CVE-2009-2692 - sock_sendpage() exploit https://www.youtube.com/watch?v=65w7ROFbdqc Demo
  17. 17. Protect/Detect ❖ Patching ❖ No Really…Install Patches ❖ Limit locations for code execution ❖ GRSecurity, if you are up to it ❖ You need to be really comfortable with Linux for this one ❖ Adds significant overhead to updating as you have to rebuild for EVERY kernel version
  18. 18. Method 2: File Permissions
  19. 19. World Readable/Writeable ❖ These are files that anyone can read or write ❖ Easy to find ❖ find / -perm -2 ! -type l -ls ❖ My Ubuntu box had 1,681 files and folder and its a basic install of 14.04
  20. 20. Dangers ❖ ANYONE can read or write these files ❖ While that is by design for some files, others it adds a great deal of risk ❖ Config Files ❖ Websites /Application source code ❖ Scripts run by init or cron ❖ Commands/Scripts used by admins
  21. 21. Protect/Detect ❖ World Read/Write is normal part of the filesystem ❖ Issues arise when users/admins/scripts start changing permissions ❖ stop using `chmod 777` please ❖ Audit on a semi-regular basis for overly permissive files and folders
  22. 22. SetUID and SetGID ❖ SetUID - SET User ID upon execution ❖ SetGUID - SET Group ID upon execution ❖ Allows you to run programs as another user upon execution ❖ Generally executed as elevated privilege user (root)
  23. 23. SetUID Risks ❖ Binaries run with elevated privileges can access privileged information ❖ SetUID on ‘ls’ will allow you to list directories you otherwise wouldn’t have rights to ❖ SetUID on ‘vim’ will allow you to edit files you otherwise wouldn’t have rights to
  24. 24. SetUID Risks ❖ Buffer overflow exploits or command injection flaws in SetUID applications will result in the attacker running code with the elevated privileges
  25. 25. Find SetUID ❖ ls -l /bin/ls ❖ -rwxr-xr-x 1 root root 108708 Jan 17 2013 /bin/ls ❖ dir:owner:group:world ❖ ls -al /bin/ping ❖ -rwsr-sr-x 1 root root 34780 Oct 2 2012 /bin/ping
  26. 26. Find SetUID ❖ sudo find / -xdev ( -perm -4000 ) -type f -print0 -exec ls -l {} ; ❖ note: sudo is not required, you just wont be able to check directories you don't have permissions to
  27. 27. Exploiting SetUID ❖ Use the functionality of the tool in unintended ways for elevated privileges (more on this idea later) ❖ Find an application that has public exploit or start fuzzing on your own ❖ Command Injection
  28. 28. Protect/Detect ❖ While setUID is 100% required under normal operations we see admins overusing it ❖ It is not a fix all ❖ Understand the Risk vs Reward when setting setUID on an application; Do audits for these apps
  29. 29. Method 3: Permissive SUDO
  30. 30. SUDO ❖ su do ❖ note: `su` does not mean SuperUser, it is Substitute User ❖ Allows you to run commands as elevated user with your user password rather than a shared root (BAD!) password
  31. 31. /etc/sudoers ❖ Config file for sudo ❖ Limits what users and groups can run what commands ❖ ex: ❖ rootALL=(ALL:ALL) ALL ❖ %sudo ALL=(ALL) NOPASSWD:ALL
  32. 32. /etc/sudoers ❖ Can allow for very granular configurations ❖ User_Alias FULLTIMERS = millert, mikef, dowdy ❖ Host_Alias SERVERS = master, mail, www, ns ❖ Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown ❖ Cmnd_Alias REBOOT = /usr/sbin/reboot ❖ FULLTIMERS ALL = NOPASSWD: ALL ❖ mikef ALL, !SERVERS = ALL
  33. 33. Concerns ❖ With great power, comes great responsibility ❖ sudo will allow you to shoot yourself in the foot ❖ THINK about the commands you allow via sudo
  34. 34. Problems? ❖ Why are these commands an issue? ❖ vi/vim ❖ more/less/cat ❖ echo ❖ nmap
  35. 35. Find Exec Demo
  36. 36. Protect/Detect ❖ Again, Risk vs Reward of allowing sudo ❖ The more specific you can be in config, the better ❖ Know what the application you are allowing CAN do
  37. 37. Method 4: PATH issues
  38. 38. Linux PATH ❖ An environment variable that contains the location of executables ❖ printenv ❖ PATH=/usr/local/rvm/gems/ruby-1.9.3- p448/bin:/usr/local/rvm/gems/ruby-1.9.3- p448@global/bin:/usr/local/rvm/rubies/ruby-1.9.3- p448/bin:/usr/local/rvm/bin:/usr/local/sbin:/usr/local/bin :/usr/sbin:/usr/bin:/sbin:/bin
  39. 39. Linux PATH ❖ ruby -v ❖ ruby 1.9.3p448 (2013-06-27 revision 41675) [i686- linux] ❖ which ruby ❖ /usr/local/rvm/rubies/ruby-1.9.3-p448/bin/ruby
  40. 40. Linux PATH Issues ❖ What would happen if the ‘.’ was prepended to the path? ❖ Where would it look for ruby first? ❖ What if a script was calling ruby? ❖ As root…….
  41. 41. Attack Path Example ❖ Sysadmin has ‘.’ in his path ❖ Email and say you can’t list the files in your home dir ❖ Make bash script called ‘ls’ that sends a reverse shell and hides itself from the admin ❖ Admin logs in as root ❖ Goes to your home dir and runs ls ❖ Shell
  42. 42. ls reverse shell Demo
  43. 43. Protect/Detect ❖ Don't put ‘.’ in your path….just don't ❖ No Risk vs Reward here, Risk will almost always outweigh the reward
  44. 44. Questions? e: elliott.cutright@gmail.com t: @nullthreat

×