Privilege Escalation – Linux

Linux privilege escalation allows attackers to gain higher permission levels on a compromised system, potentially achieving root access.

Understanding common privilege escalation techniques helps security professionals identify and patch vulnerabilities before they can be exploited.

This guide covers essential Linux privilege escalation methods, detection approaches, and mitigation strategies for system administrators and penetration testers.

Kernel Exploits

Kernel vulnerabilities can be exploited to gain elevated privileges on Linux systems.

• Check kernel version: uname -a
• Search for known exploits: searchsploit linux kernel [version]
• Common tools: Linux Exploit Suggester, Linux Exploit Detector

Password Hunting

Sensitive credentials are often stored in configuration files or logs.

• Check common locations:
  • /etc/passwd
  • /etc/shadow
  • /var/log/
  • /home/user/.bash_history

SUID Binaries

SUID (Set User ID) binaries run with the permissions of their owner rather than the executing user.

• Find SUID files: find / -perm -u=s -type f 2>/dev/null
• Common SUID binaries to check:
  • nmap
  • vim
  • nano
  • find

Sudo Rights

Check available sudo permissions with sudo -l.

• Look for:
  • NOPASSWD options
  • Wildcard usage
  • Misconfigured sudo rules

Cron Jobs

Scheduled tasks might run with elevated privileges.

• Check locations:
  • /etc/crontab
  • /var/spool/cron/
  • /etc/cron.*/ directories
• Look for writable scripts

Path Manipulation

Manipulating the system PATH can lead to privilege escalation.

• Check PATH: echo $PATH
• Look for writable directories in PATH
• Create malicious executables in writable PATH locations

Service Exploitation

Misconfigured services can provide privilege escalation opportunities.

• Check running services: ps aux
• Look for:
  • Writable service files
  • Unquoted service paths
  • Vulnerable versions

Prevention and Hardening

• Regular system updates
• Minimal SUID usage
• Restricted sudo access
• Service hardening
• Regular security audits
• File permission reviews

Tools for Privilege Escalation

• LinPEAS: https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
• LinEnum: https://github.com/rebootuser/LinEnum
• Linux Smart Enumeration: https://github.com/diego-treitos/linux-smart-enumeration

Taking Action: Next Steps

Implement regular security assessments using automated tools combined with manual testing to identify potential privilege escalation vectors.

Document all findings and create an action plan to address discovered vulnerabilities.

Consider engaging professional penetration testers for thorough security evaluations.

Detection and Monitoring

Implementing robust detection mechanisms helps identify potential privilege escalation attempts.

• Key monitoring areas:
  • File system changes
  • Process creation
  • Account modifications
  • Sudo command usage

Incident Response

Having a clear incident response plan for privilege escalation attempts is crucial.

• Essential steps:
  • Immediate system isolation
  • Evidence collection
  • Root cause analysis
  • System restoration

Common Mistakes to Avoid

• Neglecting regular updates
• Weak password policies
• Excessive SUID permissions
• Unmonitored service accounts
• Insufficient logging

Advanced Protection Strategies

Implement comprehensive security measures beyond basic hardening.

• Key strategies:
  • Mandatory Access Control (SELinux/AppArmor)
  • File integrity monitoring
  • Privilege separation
  • Network segmentation

Securing Linux Infrastructure

A multi-layered approach to security ensures robust protection against privilege escalation attacks.

• Essential practices:
  • Regular vulnerability assessments
  • Comprehensive monitoring
  • Systematic patch management
  • Security awareness training
  • Documented security procedures
• Future considerations:
  • Emerging threat monitoring
  • Security automation
  • Compliance requirements
  • Continuous improvement

FAQs

1. What is Linux privilege escalation?
   Privilege escalation in Linux is the process of exploiting vulnerabilities, design flaws, or misconfigurations to gain elevated access from one user to another user with higher privileges or permissions.
2. What are common ways to find SUID binaries for privilege escalation?
   SUID binaries can be found using commands like ‘find / -perm -u=s -type f 2>/dev/null’ or ‘find / -type f -perm -4000 2>/dev/null’, which locate files with SUID bit set that could potentially be exploited.
3. How can kernel exploits be used for privilege escalation?
   Kernel exploits take advantage of vulnerabilities in outdated Linux kernel versions. Tools like Linux Exploit Suggester can identify potential kernel vulnerabilities based on the system version that could be exploited for privilege escalation.
4. What role do cron jobs play in privilege escalation?
   Misconfigured cron jobs running as root or with higher privileges can be exploited if the target files or scripts they execute are writable by lower-privileged users, allowing command execution with elevated permissions.
5. How do wildcard injection attacks work in Linux?
   Wildcard injection attacks exploit the way Linux commands handle wildcards (*). When combined with certain commands like tar, they can be manipulated to execute malicious commands if file names are crafted specifically to be interpreted as command options.
6. What is a sudo privilege escalation?
   Sudo privilege escalation occurs when users are given excessive sudo rights or when there are misconfigurations in the sudoers file, allowing users to execute commands with root privileges beyond their intended permissions.
7. How can path variable manipulation lead to privilege escalation?
   When the PATH variable includes writable directories for the current user, attackers can create malicious versions of commonly used commands that will execute instead of the legitimate system commands when run by privileged users.
8. What is NFS root squashing and how can it be exploited?
   When NFS shares are configured without root squashing, a remote user with local root privileges can create files on the NFS share with root privileges, potentially leading to privilege escalation on the target system.
9. How can capabilities be exploited for privilege escalation?
   Linux capabilities that are misconfigured or unnecessarily assigned to binaries can be exploited to gain elevated privileges, particularly capabilities like CAP_SETUID or CAP_SETGID.
10. What role do weak file permissions play in privilege escalation?
    Files with incorrect permissions, especially system files or configuration files that are world-writable, can be modified by unprivileged users to execute commands with elevated privileges.

Author: Editor