|
We often tend to ignore privilege escalation flaws. In order to take advantage of these vulnerabilities, an attacker first needs to have access to the system itself. But in particular for systems that many users have access to, it can be difficult to monitor them all for compromised credentials. Systems with web servers often suffer from web application flaws that can be used to execute code as the web server, which then can be used to gain root access via a privilege escalation flaw. From a defensive point of view, the problem with privilege escalation flaws is that there are so many of them, and they are not limited to "bugs" that can be patched. Frequently configuration mistakes can give rise to privilege escalation flaws. Auditing your system for these problems should be done regularly to avoid privilege escalation flaws. For example, a user may create a cron job, and then have root execute the cron job, but the file remains writable by the user. Someone gaining access to the system as this user could now easily escalate privileges by modifying the script. Luckily, there are a number of scripts that make it easier for us to find these problems: unix-privesc-check: Very comprehensive script that works on many Unix flavors, not just Linux. Read the "ToDo" section at the beginning as it lists other areas that should be checked. The output is send to stdout, and you better pipe it to a file as it is very verbose even in default mode. http://pentestmonkey.net/tools/audit/unix-privesc-check LinEnum: A more limited script as far as privilege escaltion goes, but it does summarize other configuration options nicely. https://github.com/rebootuser/LinEnum linuxprivchecker: Similar to LinEnum in that it summarizes system configuration information, not just privilege escalation issues. http://www.securitysift.com/download/linuxprivchecker.py And if you prefer to take a more "manual" approach, or if you need to verify some of the results produced by the scripts, check this very nice cheat sheet: http://www.rebootuser.com/?p=1623 Any tools I missed? Please let me know! --- |
Johannes 4307 Posts ISC Handler Jan 21st 2015 |
| Thread locked Subscribe |
Jan 21st 2015 6 years ago |
|
We use several tools also. One you did not mention is diffmon.
We use that coupled with mysqldump against the mysql.users table (and other files) to nightly show us anything that moved (and what exactly the differences are). Configuration is simple and easy. Very useful for watching changes to any text file: php.ini /etc/passwd apache configurations /var/spool/crontabs/root etc. etc. |
FireStorm9 6 Posts |
| Quote |
Jan 20th 2015 6 years ago |
|
I find lynis (https://cisofy.com/lynis/) to be a very good tool for checking for configuration-based privilege escalation issues.
|
Micky 1 Posts |
| Quote |
Jan 20th 2015 6 years ago |
|
Another tool which also detects weak and privilege escalation spots, is open source auditing tool Lynis - https://cisofy.com/lynis/
|
Michael 1 Posts |
| Quote |
Jan 21st 2015 6 years ago |
|
linuxprivchecker must be good - it appears twice! :)
|
patermann 35 Posts |
| Quote |
Jan 21st 2015 6 years ago |
|
ninja (http://forkbomb.org/ninja/)
There are packages for Ubuntu and likely Debian.I was able to port it to RHEL5 and 6. It can monitor or even block privilege escalations. Unfortunately, it is getting rather long in the tooth. I discovered it after seeing that Linux didn't really log privilege escalations due to such an exploit such as the CVE-2010-3081 exploit exploit-db.com (EDB-ID:15024) which affects RHEL5.5 (x86-64). |
jbmoore 11 Posts |
| Quote |
Jan 21st 2015 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
