6

So, suppose that someone obtained a shell of a remote machine (of course via Internet). But the (linux) shell is under www user. Would there be any way of trying privilege escalation?

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
AAAAAAA
  • 61
  • 2
  • 3

2 Answers2

11

Yes. The top two methods of privilege escalation are:

  • Kernel flaws. If there is a vulnerability in the kernel, this could enable an unprivileged user to gain root-level access. Such vulnerabilities have been seen many times in the past.

  • Setuid programs. If there is a vulnerability in any of the setuid programs installed on the system, then an unprivileged user might be able to use this to gain root (or escalated) access. Such vulnerabilities have been common in the past.

(There are other methods of privilege escalation, such as exploiting a race condition in the way that a program running as root uses the filesystem, or vulnerabilities in a system service/daemon. However, my impression is that those are a bit less common.)

My rough rule of thumb is: if an attacker has access to a non-root account on your machine, you should assume that if they are sufficiently dedicated and sophisticated, be prepared that they may be able to get root on your machine. It's not a sure thing, to be sure -- but reliably stopping privilege escalation is difficult, when the attacker has access to a user account on your system.

If this sounds abstract, let me make it more concrete for you. You know how, for most smartphones, you can go on the Internet and find a way to root or jailbreak your phone? Well, guess what -- when you run some program to "root" your phone, under the covers it works by exploiting some privilege escalation vulnerability in your phone. Tools for rooting your phone have one or more such privilege-escalation exploits baked into them, and there is a phone enthusiast community that avidly looks for and collects such vulnerabilities. Empirically, most phones can be rooted -- in other words, most phones have at least one such vulnerability. The prevalence of such vulnerabilities gives you some idea of the difficulty of reliably preventing privilege escalation.

D.W.
  • 98,420
  • 30
  • 267
  • 572
0

I agree with the above answer but would like to expand on it a little bit, kernel vulnerabilities have been common (just recently Ben reported a vul. with some networking driver that can allow for privileged escal.) linux doesn't have the best chroot protection (even with grsec) but grsec-patched kernel (on a server it should have the "highest" protection applied) makes it very very difficult for non-root to really do anything. Now once an attacker has access to a user account, they are not so interested in gaining root, but more interested in using that as a foothold for other servers in the network or using it as a zeus-type c&c, I won't discuss zeus here because that would make the discussion very extensive but as a rule of thumb, you can run a cron to do a reg-ex based search for "Please wait, the page is loading" as that is generally a compromised account (through blackhole exploit kit). The attackers generally use zeroaccess to maintain that access and this is another javascript based exploit kit. So in short, do all security updates, run grsec kernels and you should be in good shape, hth.

dhillonv10
  • 91
  • 2