Understanding Linux Privilege Escalation and Defending Against It
Linux Privilege Escalation
How it works, and what steps you can take to protect yourself
Privilege escalation in another term for the elevation of permissions, of a normal user. This means that a normal user on Linux can become root, or get the same permissions as root. This can be authorized usage, with the use of the su or sudo command. It can also be unauthorized, for example when an attacker gains too many permissions. In this case often with the means of malicious code. Especially this last category is interesting to understand, so we can better defend our Linux systems.
Privilege Escalation steps
Attackers who try to obtain additional privileges often use so-called exploits. Exploits are pieces of code, often compiled into a binary executable. The executable will focus on a known weakness in the operating system or running software components. This may result in elevated permissions, by overwriting segments of memory and executing special crafted (shell) code.
These are the steps an attacker usually takes:
- Find a vulnerability
- Create the related exploit
- Use the exploit on a system
- Check if it successfully exploits the system
- Gain additional privileges
Enumeration: Collecting data
The first step is to find a weakness, or vulnerability, in the system. To learn about any weaknesses you have to know what operating system and version is used. This is done with so-called “enumeration”. This is the process of learning information about networks and individual systems. Attackers find more information by using Google, scanning UDP/TCP ports, and study any responses. With each step, more information becomes available. A similar approach is taken by penetration testers (pentesters), attackers with a legal contract to do so.
During this enumeration phase, the attacker can also determine if there are any compilers are available. If not, then there might any high-level programming languages like Perl of Python instead. This information is useful for a later stage, in which exploit code is used.
As part of enumeration, a lot of data will be collected. Every finding has to be stored, so it can be stored and processed later. Each piece of information can be used to search for known vulnerabilities, or other entries into the system. For example, when Apache is used, and the version number is listed, we can search for known vulnerabilities for that particular version.
Exploiting the weakness
Next stage is about exploiting any weaknesses found. Sometimes ready-to-use code can be executed against the target, resulting in some level of access. Your WordPress installation (or a plugin) might be outdated, which may give an external visitor the permissions to upload files. The attacker can use this to plant a custom PHP script, to collect more information from the system. This is done by using specific PHP functions, like system(), to execute commands on the system itself.
Moving in steps
The exploit process may take different steps before the right level of access is gained. Just being able to upload a file might be harmless to the system. So with every step, the attacker tries to retrieve more information and adjusting any required exploit. Sometimes a vulnerability might be there, but not exploitable. This can be due to additional defense layers (e.g. memory randomizing). The attacker has to adapt to the specifics of the machine.
To show how an attacker might become root, here is a possible “train” of many small steps:
- System runs Apache with WordPress has an outdated plugin
- Attacker runs automatic script to detect this outdated plugin on many systems across the internet
- Automated script picks up on the presence of the plugin on system, and checks if it is version 1.2.4
- The attacker verifies the finding (or weed out any false positive)
- Attacker manually abuses the weakness in the plugin and via that uploads a custom PHP file to the system
- Attacker now requests to run this PHP script, to retrieve more data on the system
- The output of script finds the availability of a compiler
- Script also finds an outdated Linux kernel, which has a known exploit to become root for non-privileged users
- A small C program is uploaded via the plugin
- The compiler is executed to compile the specific piece of C code into a binary program
- The program is executed to abuse the Linux privilege escalation bug in the kernel
- A new user is added to the system by the attacker
- Attacker can now log in to the system via SSH
This is just an example of how a small piece of information is used during enumeration and followed up for later processing. Then the process is repeated several times to find more details about the system. This is followed up by and attacking more specific system components, until the attacker gains full root permissions.
The best way to counter Linux privilege escalation is using the common “defense in depth” method. You apply several defenses, each targeting a specific area. If one layer of defense fails, this doesn’t necessarily mean your system can be compromised.
Reduce the information leaked by applications
Don’t give away too much information. Especially leaking version numbers should be limited.
Remove compilers, or restrict access to them
Production systems should only have a compiler available when absolutely necessary. For most systems this is not needed. As attackers often need the compiler to successfully build an exploit, this will definitely improve system hardening.
Apply Linux updates and patches
Systems often get compromised due to weaknesses in software components. Keeping them up-to-date is an easy way to reduce this risk.
Run file integrity monitoring software
Know when important system files change. This can be achieved by file integrity monitoring software, like the popular AIDE toolkit.
Perform system auditing
Maybe the best thing one can do is running continuously security audits. For Linux systems, consider a tool like rkhunter or ClamAV to do malware scanning. Use Lynis for an in-depth security audit and learn what hardening steps can be taken.
Some tools can help you with doing enumeration yourself. They will also help you checking if your Linux systems are vulnerable to privilege escalation.
- unix-privesc-check – Gather information and determine possible attacks
- LinEnum – Perform enumeration and check for possible Linux privilege escalation options
Linux privilege escalation can happen due to one or more failing security layers. An attacker has to start doing enumeration and process the resulting data. He or she will continue to do testing when more information becomes available. This will repeat until one of the security defenses gets penetrated. Applying proper security defenses is your first safeguard against these attacks. They get much stronger if all defenses are in place, like minimizing the data you share, applying security updates, and monitoring the systems.