Lucene search

K
n0whereN0whereN0WHERE:11229
HistoryOct 11, 2013 - 5:03 p.m.

Find Misconfigurations: unix-privesc-check

2013-10-1117:03:24
n0where.net
13

Unix-privesc-check is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow local unprivilged users to escalate privileges to other users or to access local apps (e.g. databases).

It is written as a single shell script so it can be easily uploaded and run (as opposed to un-tarred, compiled and installed). It can run either as a normal user or as root (obviously it does a better job when running as root because it can read more files).

Usage

The download is gzip’d, so gunzip it. Upload it to the server you’re auditing / pentesting then just run it:

$ ./unix-privesc-check > output.txt

The output’s a bit messy (it’s hard to be neat with shell scripts), so you’re probably best to save the output and search it for the word ‘WARNING’. If you don’t see the word ‘WARNING’ then the script didn’t find anything. Example:

$ ./unix-privesc-check

What’s the Intended usage of user-privesc-checker?

It’s intended to be run by security auditors and pentetration testers against systems they have been engaged to assess, and also by system admnisitrators who want to check for “obvious” misconfigurations. It can even be run as a cron job so you can check regularly for misconfigurations that might be introduced.

I wanted to write something that was at least partially useful to pentetration testers when they gained access to a low-privilege account and wanted to escalate privileges. There are lots of things that pentesters will check in this situation and one of the most tedious to check is weak file permissions – this of often one of the most fruitful, though, so there’s no avoiding it.

Disclaimer: Running this script alone isn’t a substitute for proper audit (e.g. following one of the NSA’s excellent configuration guides ). There are lots of possibilities for escalation that are just too hard to audit using a script. This script is intended to be a shortcut, not a replacement for a proper audit. See the “Limitations” section below for lots of examples of areas not covered by this script.

So this is a Unix Audit Script?

Not in the traditional sense. “Unix Audit” means different things to different people. I understand it to mean checking a whole array of configuration settings including:

  • Security patches (i.e. that they’ve been applied)
  • Cracking passwords to check for weak ones
  • IP Stack configuration (no unnecessary IPv6, no IP Forwarding, etc.)
  • Weak file permissions (reading sensitive data, modifiying sensitive files)
  • Configuration of local applications (reviewing sshd_config, httpd.conf)
  • Other best-practise stuff (remote logging, no insecure protocols, paranoid mount options)

So, no it’s not an audit script in this sense. It doesn’t set out to do all these things. It checks for a subset of these which relate directly to privilege escalation. It focusses mainly on generic techniques: common misconfigurations and weak file permissions. It doesn’t check for missing patches, however this is difficult to check “on-box” using a single shell script. Checkout exploit-suggester if you’re interested in doing this “off-box”…

Source && Download

Find Misconfigurations: unix-privesc-check download Find Misconfigurations: unix-privesc-check