Tech Ramblings

Character - or a lack thereof 🥶

Ayan Kumar Nath's photo
Ayan Kumar Nath
·

4 min read

Characteristics in Linux and Their Role in Privilege Escalation

Linux is a powerful and versatile operating system widely used in servers, desktops, and embedded systems. Its architecture, permissions, and configurations define its characteristics, some of which attackers exploit for privilege escalation. Below is an in-depth explanation of key Linux characteristics and their role in privilege escalation, with real-world examples, CVEs, and attack techniques.

Key Linux Characteristics and How They Can Be Exploited

  1. File Permissions and Ownership

    • Linux uses a permission model (owner, group, others) with read (r), write (w), and execute (x) bits.

    • Misconfigured file permissions (e.g., writable setuid binaries) allow attackers to execute code with elevated privileges.

Example:

  • Scenario: A world-writable /etc/passwd file.

  • Exploit: Modify the /etc/passwd file to add a user with root privileges.

  • Mitigation: Ensure critical files have strict permissions using tools like chmod and chown.

  1. Setuid and Setgid Binaries

    • Binaries with the setuid or setgid bit set execute with the owner's or group's privileges, respectively.

    • If a vulnerable setuid binary allows arbitrary code execution, it leads to privilege escalation.

Example CVE:

  • CVE-2021-4034 (PwnKit):

    • A vulnerability in the pkexec utility of Polkit allowed privilege escalation by executing commands as root.

    • Exploited by overwriting environment variables and injecting malicious code.

  1. Sudo Misconfigurations

    • Sudo allows a user to execute commands with elevated privileges. Misconfigured sudoers files can be exploited.

    • Common issues:

      • Allowing unrestricted commands (sudo /bin/bash).

      • Environment variable abuse (e.g., LD_PRELOAD).

Example:

  • CVE-2019-14287:

    • A bug in sudo allowed users to bypass restrictions by specifying -1 or 4294967295 as a user ID, leading to root access.

  1. Kernel Vulnerabilities

    • The Linux kernel is a common target for privilege escalation due to its critical role in system operations.

    • Kernel exploits often leverage race conditions, buffer overflows, or improper handling of user input.

Example CVEs:

  • CVE-2022-0847 (Dirty Pipe):

    • Allowed local users to overwrite read-only files, leading to root privilege escalation.

    • Exploited by injecting malicious data into privileged files (e.g., /etc/passwd).

  • CVE-2016-5195 (Dirty Cow):

    • A race condition in the mmap system call allowed attackers to write to read-only memory, escalating privileges.

  1. Cron Jobs and Scheduled Tasks

    • Cron jobs are used for scheduled execution of scripts. Misconfigured cron jobs can lead to privilege escalation.

    • Common misconfigurations:

      • Writable cron job files.

      • Running scripts in world-writable directories.

Example:

  • A root-owned cron job executing a script from /tmp can be exploited by replacing the script with malicious code.

  1. Weak Passwords and Credentials

    • Default or weak passwords for privileged users allow attackers to gain unauthorized access.

    • Tools like hydra or john can crack weak passwords.

Real-World Example:

  • Mirai Botnet:

    • Exploited default credentials on IoT devices running Linux to gain access and build a DDoS botnet.

  1. Exploiting NFS (Network File System)

    • Improperly configured NFS shares can allow attackers to mount file systems and gain unauthorized access.

    • If an NFS export has the no_root_squash option, root permissions on the client system can translate to root access on the server.

Example:

  • Mounting an exported NFS directory as root and placing a malicious setuid binary in it.

  1. Capabilities

    • Linux capabilities break down root privileges into discrete units (e.g., CAP_NET_ADMIN, CAP_DAC_OVERRIDE).

    • A misconfigured binary with elevated capabilities can be exploited for privilege escalation.

Example:

  • A binary with CAP_DAC_OVERRIDE can bypass file permissions and access any file.

  1. World-Writable Directories

    • Directories like /tmp and /var/tmp are world-writable by design, which can be exploited to create malicious files.

    • Symlink attacks can redirect file writes to sensitive locations.

Real-World Cases of Privilege Escalation

  1. Gaining Root via Docker Misconfigurations

    • Scenario: A Docker container is configured to run with the --privileged flag or mounts the host file system.

    • Exploit: Mount the host / directory, edit sensitive files like /etc/shadow, and gain root access.

  2. Exploit via Unpatched Kernel

    • Case: The Dirty Cow vulnerability (CVE-2016-5195) was widely exploited to escalate privileges in production environments.

    • Impact: Allowed attackers to write arbitrary data to files they shouldn't have access to, including overwriting critical system files.

  3. Privilege Escalation through Vulnerable Services

    • CVE-2017-1000367: A vulnerability in Sudo allowed escaping restricted shells by manipulating the Sudo environment.

Tools for Privilege Escalation

  • LinPEAS: Automates privilege escalation enumeration.

  • Linux Exploit Suggester: Suggests kernel exploits based on the system version.

  • GTFOBins: Lists binaries that can be exploited for privilege escalation.

Did you find this article valuable?

Support Tech Ramblings by becoming a sponsor. Any amount is appreciated!

characteristicsLinuxlinux for beginnerslinux-basicslinux-commands
Â