1 of 9

Program Misuse

Privilege Escalation

Yan Shoshitaishvili

Arizona State University

2 of 9

Recall the Linux permission model

Every process has a user ID and a GID.

Every file and directory is owned by a user and group.

Child processes inherit from parent processes.

3 of 9

Some UIDs are better than others...

UID 0 is the Linux administrator user, root. Roughly speaking, you need root for:

  • Installing software.
  • Loading device drivers.
  • Shutting down, rebooting.
  • Changing system-wide settings.

But if you're UID 1000, how do you become UID 0?

4 of 9

Privilege Elevation

One way to elevate your privileges is to run an suid binary.

SUID is a bit in the Linux permission model:

SUID: execute with the eUID of the file owner rather than the parent process.

SGID: execute with the eGID of the file owner rather than the parent process.

Sticky: used for shared directories to limit file removal to file owners.

Common examples of SUID binaries: sudo, su, newgrp

SUID

User Read

User Write

User Exec

Group Read

Group Write

Group Exec

World Read

World Write

World Exec

Sticky

SGID

https://xkcd.com/149

5 of 9

Quick Detour: e UID?

Three different type of user and group IDs:

Effective (eUID, eGID): the UID/GID used for most access checks.

Real (UID, GID): the "real" UID (or GID) of the process owner, used for things such as signal checks.

Saved: a UID/GID that your process could switch its eUID/eGID to. Used for temporarily dropping privileges.

6 of 9

With great power comes great responsibility...

eUID 0 is powerful. Aside from system management, root can (by default):

Open any file!

  • Including things in the special /proc filesystem!
  • And device-backed files!

Execute any program.

Assume any other UID or GID.

Debug any program.

Obviously, this can be a security disaster...

7 of 9

Privilege Escalation

Privilege Escalation is a class of exploit in which the

attacker elevates their privileges to (generally) root level.

Typical flow:

  1. Gain a foothold on the system (vulnerable network service, intended shell access, code in app context, etc).
  2. Identify a vulnerable privileged service.
  3. Exploit the privileged service to gain its privileges.

Example: if an SUID binary has a security problem, an attacker can use it in a privilege escalation attack:

8 of 9

Security Woes

Who would be this careless?

  1. Vulnerabilities in SUID binaries, such as sudo:
    1. CVE-2019-14287: privilege escalation under certain configurations.
    2. CVE-2018-10852: permission misconfiguration leading to privilege escalation
    3. CVE-2017-1000367: improper input sanitization leading to command execution
    4. CVE-2016-7076: privilege escalation under certain invocation scenarios
    5. CVE-2016-7091: privileged information disclosure
    6. CVE-2015-5602: privilege escalation under certain configurations
    7. CVE-2014-0106: bypass of configuration restrictions
  2. Unnecessary SUDOing (or running as root by other means)�other software.
    • Depressingly common in course grading systems, other shared server management software.
    • Too common with containerization (docker's default user is root).
  3. OS-level vulnerabilities (stay tuned!).

9 of 9

Practice Problems!

This module's practice problems:

  1. Connect to pwn.college.
  2. Select a program path to unnecessarily SUID.
    1. TONS of programs can be chosen, but not everything is viable to read the flag with...
  3. Use this program to read /flag, if you can!

Let's demo a few:

  • /bin/cat
  • /usr/bin/more
  • /usr/bin/find