What is privilege escalation?
Privilege escalation is a key concept for attackers seeking access to sensitive information or restricted functionality on an information system. Typically, this involves exploiting security weaknesses in a given system to escalate from a limited level of access, with standard permissions, to a higher level of access, with greater rights.
On Linux, there are several techniques for escalating a user’s privileges. Exploitation of configuration weaknesses, vulnerabilities in programs and broken access control are the main ones.
However, the risks associated with privilege escalation are significant because an attacker could access sensitive data, execute unauthorised modifications or use the system for other malicious purposes. Indeed, this is a matter that should not be taken lightly by system administrators, who should always consider this risk and implement appropriate security measures to prevent it.
In this article, we will detail the main privilege escalation techniques on Linux with concrete examples to illustrate how they work, as well as best security tips to prevent them.
What are the key techniques for privilege escalation on Linux?
Exploiting configuration weaknesses
The first and probably most common privilege escalation technique on Linux is to exploit configuration weaknesses. This is done by taking advantage of a lack of configuration of a system’s security settings to access restricted data or features (outside the intended permissions).
Weak passwords and brute force attacks
A common example of a configuration weakness that can be easily exploited is the presence of an account with a weak password. Indeed, an attacker could, using brute force, try to find the account’s password by using a list of frequently used passwords. Moreover, to increase the chances of success of a brute force attack, it is possible to build a list of passwords with variables by integrating for example the name, the company, the date of birth, etc. of a precise target.
In fact, the following examples of passwords (non-exhaustive list), which are still too commonly used, should be avoided because most of them can be guessed in less than 10 seconds with the right dictionary:
• password
• 123456
• 123456789
• admin
• administrator
• root
• toorTo prevent these risks, system administrators must ensure that the passwords used for accounts are strong and unique. For this purpose, it is strongly recommended to use password managers to generate long, random and therefore difficult to guess passwords. For the same purpose, PAM (Pluggable Authentication Modules) can be configured to impose the use of strong passwords, for example by requiring a minimum number of characters or by forbidding the presence of one’s name in the password, etc.
Finally, another mechanism to counter brute force attacks is the implementation of fail2ban, which automatically bans IP addresses after several failed connections.
For more information, we recommend our article: Brute force attacks: principles and security best practices.
Broken access control and least privilege violation
The principle of least privilege should be respected for services that are set up. If an attacker exploits a vulnerability in a service that is running as administrator, then he will have the same privileges as the service. For example, if a web server, running with administrator permissions, allows through a vulnerability to execute arbitrary code, this code will be executed with the administrator account.
Most of the time during our penetration tests, we observe broken access control on files or programs. However, if these assets have the wrong permissions, a user with low privileges may be able to read or modify them.
For example, consider the following case: the file vaadata_secret_protected.pdf can only be read and modified by the user root. On the other hand, the file vaadata_secret.pdf can be read by any user.
-rwx------ 1 root root 0 Jan 17 14:56 vaadata_secret_protected.pdf
-rwxr--r-- 1 root root 0 Jan 17 14:56 vaadata_secret.pdfA misconfiguration of access rights could be present on the configuration file of a service used with more privileges than the current user and could allow the service to be taken over.
It is important to note that there are many other configuration weaknesses that can be exploited to escalate privileges on Linux. System administrators should therefore be aware of these risks and take appropriate security measures to prevent them.
Exploiting vulnerabilities in programs
Another common method of privilege escalation on Linux is to exploit vulnerabilities in programs (operating systems, web servers, databases, etc.). These vulnerabilities can be bugs in the code that allow attackers to execute arbitrary code (RCE) with high privileges.
For example, a buffer overflow vulnerability in a program can allow for privilege escalation. Bugs of this type can allow attackers to execute arbitrary code using malicious input that exceeds the size allocated for that input. Attackers can then execute commands with high privileges using the privileges of the vulnerable program.
A second example would be vulnerabilities in file management services. Services such as Samba, NFS and FTP are used to share files between different systems. If these services contain vulnerabilities, attackers may be able to access sensitive files or execute commands with elevated privileges. In 2019, the release of a vulnerability in vsftpd 2.3.4 (CVE-2011-2523) allowed attackers to take control of FTP servers using a backdoor in the software.
Exploiting local privileges
On Linux, programs can be configured to run with another user’s account (SUID), another group’s account (SGID) or with additional capabilities.
These programs need access to restricted features or information to function properly. For example, the passwd utility needs to be run as root to edit the password file. Thus, these programs can be configured in such a way as to be vulnerable to attack, and thus allow attackers to escalate their privileges.
For example, if the nmap binary has the SUID bit, the commands executed will be executed with the user who owns the nmap file.
TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF
nmap --script=$TFThe website GTFOBins lists techniques for exploiting a binary with privileges due to misconfiguration.
Finally, another possibility for an attacker to obtain privileges are automated tasks (cron tasks). One can imagine a scenario where a scheduled task to execute a script can be modified by all users.
# > ls -la /opt/backup.sh
-rw-rw-rw- 1 root root 0 Jan 17 15:07 backup.shThus, an attacker can modify the content of the script so that the scheduled task executes the malicious command as root (like a reverse-shell) and thus escalate the privileges of the attacker.
# > crontab -l
# Backup vaadata website
* * * * * /opt/backup.shHow to prevent privilege escalation?
One of the roles of system administrators is to implement security measures to prevent or limit privilege escalations.
Implementing an effective update policy
Regularly updating Linux systems is a central aspect of preventing privilege escalation attacks. Indeed, vulnerabilities are constantly identified in programs. Nevertheless, these discoveries are very often (and very quickly) accompanied by patches, which are usually in the form of a new version (major or minor).
Therefore, implementing an update policy is essential, not to say vital, as the release of a patch is often publicly accessible. In fact, all attackers, from the most novice to the most experienced, can have access to the details of the identified vulnerabilities as well as the various possible exploits. This allows them to launch large-scale attacks with a high chance of success. For this reason, it is essential to keep systems up to date with the latest security patches to prevent the risk of exploitation.
Logging and monitoring events
System logs record detailed information about user activities, network connections and system errors. For this reason, an effective security policy cannot be achieved without proper log management, in order to detect abnormal activities such as attempted privilege escalation.
For logging and monitoring, there are many tools (logstash, logtail, splunk, etc.) that can be configured to identify suspicious users and alert administrators to abnormal activity.
Lastly, it is important to keep logs for a sufficiently long period of time to allow for retrospective analysis in the event of a security incident. For more information, you can consult our dedicated article : Logging and monitoring: definitions and best practices.
Secure access and implement the principle of least privilege
It is important to configure systems to give users and programs limited access rights according to their role and the tasks they perform. Indeed, the principle of least privilege should always be applied to minimise the risk of escalation.
In addition, it is important to implement privilege management strategies, such as restricting privileges for temporary users for example. In the same way, temporary users should only have access to the privileges they need to perform their task and privileges should be automatically revoked once they are no longer needed.
Conclusion
Elevation of privilege on Linux is a major concern in computer security. Attackers can use various methods to escalate their privileges on a system, such as exploiting vulnerabilities in programs, exploiting weak passwords, or even exploiting programs with elevated privileges.
It is important for system administrators to understand these risks and take appropriate security measures to avoid them. This may include regular monitoring of software vulnerabilities, security updates and employee training. It is also important to limit program privileges to those necessary for proper operation and to regularly monitor logs for anomalous activity.
Finally, it is important to note that security threats are constantly evolving, so it is necessary to maintain constant vigilance and continue to keep abreast of the latest security trends to effectively protect systems against privilege escalation attacks.
Author: Alexis Martin – Penetration Tester