Understanding Linux privilege escalation and defending against it

What is Linux privilege escalation?

Privilege escalation is the process of elevating your permission level, by switching from one user to another one and gain more privileges. For example, a normal user on Linux can become root or get the same permissions as root. This can be authorized usage, with the use of the su or sudo command. It can also be unauthorized, for example when an attacker leverages a software bug. Especially this last category of privilege escalations is interesting to understand, so we can better defend our Linux systems.

How to escalate privileges?

Attackers who try to obtain additional privileges, often use so-called exploits. Exploits are pieces of code with the goal to release a particular payload. The payload will focus on a known weakness in the operating system or running software components. This may result in the software crashing or giving access to unexpected areas of the memory. By overwriting segments of memory and executing special crafted (shell) code, one may gain a successful privilege escalation.

These are the steps an attacker usually takes:

  1. Find a vulnerability
  2. Create the related exploit
  3. Use the exploit on a system
  4. Check if it successfully exploits the system
  5. Gain additional privileges

It is all about enumeration

The first step is to find a weakness or vulnerability in the system. To learn about any weaknesses you have to know what operating system and version is used. This is done with a process that is called enumeration. Within this process, you try to learn as much as possible about a network and its systems.

Attackers find more information by using Google, port scanning, and study the responses of requests from applications. With each step, more information becomes available. A similar approach is taken by penetration testers (pentesters), attackers with a legal contract to do so.

During this enumeration phase, the attacker can also determine if there are any compilers are available. If not, then there might any high-level programming languages like Perl or Python instead. This information is useful for a later stage, in which exploit code is used.

As part of enumeration, a lot of data will be collected. Every finding has to be stored, so it can be stored and processed later. Each piece of information can be used to search for known vulnerabilities, or other entries into the system. For example, when Apache is used, and the version number is listed, we can search for known vulnerabilities for that particular version.

Linux enumeration

For most operating systems and applications there are dedicated tools to help. Linux enumeration tools focus specifically on retrieving data from several key areas. These include directories that store the system configuration or its status, like /etc and /proc. There are several system administration tools available that will retrieve network details, file locations, or the system version. Example include:

  • /etc
  • /proc
  • ifconfig
  • lsof
  • netstat
  • uname

Exploiting the weakness

Next stage is about exploiting any weaknesses found. Sometimes ready-to-use code can be executed against the target, resulting in some level of access. Your WordPress installation (or a plugin) might be outdated, which may give an external visitor the permissions to upload files. The attacker can use this to plant a custom PHP script, to collect more information from the system. This is done by using specific PHP functions, like system(), to execute commands on the system itself.

How an attacker exploits software

The exploit process may take different steps before the right level of access is gained. Just being able to upload a file might be harmless to the system. So with every step, the attacker tries to retrieve more information and adjusting any required exploit. Sometimes a vulnerability might be there, but not exploitable. This can be due to additional defense layers (e.g. memory randomizing). The attacker has to adapt to the specifics of the machine.

Example of a privilege escalation attack

To show how an attacker may become root, let’s have a look at an example. Let’s assume the following: we have a Linux system running CentOS, with Apache and a WordPress website on it. Like most WordPress installations, it has several plugins installed. The webmaster had a busy period and did not update the plugins for a while. This is how a privilege escalation attack could go:

  1. The attacker runs an automatic script to detect this outdated plugin on many systems across the internet
  2. The automated script picks up on the presence of the plugin on the system and checks if it is version 1.2.4
  3. The attacker verifies the finding (or weed out any false positive)
  4. Attacker manually abuses the weakness in the plugin and via that uploads a custom PHP file to the system
  5. The attacker now requests to run this PHP script, to retrieve more data on the system
  6. The output of the script finds the availability of a compiler
  7. The script also finds an outdated Linux kernel, which has a known exploit to become root for non-privileged users
  8. A small C program is uploaded via the plugin
  9. The compiler is executed to compile the specific piece of C code into a binary program
  10. The program is executed to abuse the Linux privilege escalation bug in the kernel
  11. A new user is added to the system by the attacker
  12. The attacker can now log in to the system via SSH

This is just an example of how a small piece of information is used during enumeration and followed up for later processing. Then the process is repeated several times to find more details about the system until the attacker gains full root permissions.

How do you defend against privilege escalation?

The best way to counter Linux privilege escalations is by using the common “defense in depth” method. You apply several defenses, each targeting a specific area. If one layer of defense fails, this doesn’t necessarily mean your system can be compromised. That is obviously easier said than done, so let’s have a look in some of the measures.

Reduce the information leaked by applications

Most applications have an application banner. This can be a greeting message with details about the application, like its name and version number. While it may look innocent, it is better to avoid giving away too much information. Especially leaking version numbers should be prevented.

Remove compilers or restrict access to them

The presence of a compiler is not needed for most systems. Production systems should only have a compiler available when it is absolutely necessary. As attackers often need the compiler to successfully build an exploit, removing them is definitely a good step.

Apply Linux updates and patches

Systems often get compromised due to weaknesses in software components. There are actually multiple suggestions in this area. First of all, subscribe to mailing lists to know what kind of vulnerabilities were found recently. Next step is to run updates on a regular basis and keep your systems up-to-date. Also, apply security updates automatically when possible, like using unattended-upgrades on Debian and Ubuntu systems.

Run file integrity monitoring software

The best way to detect a privilege escalation or breach is by monitoring important system files. If one of them change unexpectedly, this may be an indication of a security issue. This monitoring can be achieved by file integrity monitoring (FIM) solution. Popular tools include AIDE or with the Linux audit framework (auditd).

Perform system auditing

Maybe the best thing one can do is running continuously security audits. For Linux systems, consider a tool like rkhunter or ClamAV to do malware scanning. Use LynisExternal link for an in-depth security scan of the system. While Lynis is intended as a defensive tool, it actually can find things that are related to privilege escalation. Think of issues like cronjobs that are writable or showing software banners. For that reason, Lynis is also used by pentesters in their work. System auditing may actually reveal unexpected vulnerabilities that the usual vulnerability scanners could not find.

Privilege escalation checkers

Some tools can help you with checking if there is a privilege escalation possible. This can be a useful exercise to learn how privilege escalations work. They will also help you check if your Linux systems are vulnerable to a particular type of privilege escalation and take counter-measures.

  • unix-privesc-checkExternal link - Gather information and determine possible attacks
  • LinEnumExternal link - Perform enumeration and check for possible Linux privilege escalation options

Have a look at the privilege escalation toolsExternal link on Linux Security Expert for more options and more extensive reviews.

Conclusion

Linux privilege escalation can happen due to one or more failing security layers. An attacker has to start doing enumeration and process the resulting data. He or she will continue to do testing when more information becomes available. This will repeat until one of the security defenses gets penetrated. Applying proper security defenses is your first safeguard against these attacks. They get much stronger if all defenses are in place, like minimizing the data you share, applying security updates, and monitoring the systems.

Did you learn something from this article? Great! You can actually contribute by sharing this article or by sending in feedback. Thanks!

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon