Privilege Escalation(Linux)
Linux user ID is ‘root‘.
LINUX-SPECIFIC PRIVILEGE ESCALATION
- SUID/SGID programs
- Permission to execute a program as executable‘s owner/group
- ls shows ‘s‘ in executable bit of permissions
- -r-sr-sr-x(SUID and SGID set)
- Unsecure SUDO
- Authorized users execute commands as if logged in a root
- Ret2libc
- Stack overflow attack
- Replaces current stack return address with attacker-chosen address of another subroutine
- Libc includes useful calls, such as ‘system‘
- Sticky bits
- Directory permission
- Multiple users can create, read, and write files, but only the owner can delete
- ls shows ‘t‘ in the last bit of permissions
- drwxrwxrwt
QUICK REVIEW
- SUID/SGID and sudo make systems easier to use, but can make them easier to compromise
- Ret2libc is a potential attack vector for hijacking processes
- Sticky bit directories can allow attackers to write files and executables