Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2).\u00a0 It tries to find misconfigurations that could allow local unprivilged users to escalate privileges to other users or to access local apps (e.g. databases).<\/p>\n
It is written as a single shell script so it can be easily uploaded and run (as opposed to un-tarred, compiled and installed).\u00a0 It can run either as a normal user or as root (obviously it does a better job when running as root because it can read more files).<\/p>\n
<\/p>\n
<\/p>\n
unix-privesc-check v1.4 can be downloaded here<\/a>.\u00a0 (Version 1.1 is here<\/a> if you still need it).<\/p>\n Update: The google code SVN<\/a> is more up to date.<\/p>\n The download is gzip’d, so gunzip it.\u00a0 Upload it to the server you’re auditing \/ pentesting then just run it:<\/p>\n The output’s a bit messy (it’s hard to be neat with shell scripts), so you’re probably best to save the output and search it for the word ‘WARNING’.\u00a0 If you don’t see the word ‘WARNING’ then the script didn’t find anything.\u00a0 Example:<\/p>\n It’s intended to be run by security auditors and pentetration testers against systems they have been engaged to assess, and also by system admnisitrators who want to check for “obvious” misconfigurations.\u00a0 It can even be run as a cron job so you can check regularly for misconfigurations that might be introduced.<\/p>\n I wanted to write something that was at least partially useful to pentetration testers when they gained access to a low-privilege account and wanted to escalate privileges.\u00a0 There are lots of things that pentesters will check in this situation and one of the most tedious to check is weak file permissions – this of often one of the most fruitful, though, so there’s no avoiding it.<\/p>\n Disclaimer: Running this script alone isn’t a substitute for proper audit (e.g. following one of the NSA’s excellent configuration guides<\/a>).\u00a0 There are lots of possibilities for escalation that are just too hard to audit using a script.\u00a0 This script is intended to be a shortcut, not a replacement for a proper audit.\u00a0 See the “Limitations” section below for lots of examples of areas not covered by this script.<\/p>\n Not in the traditional sense.\u00a0 “Unix Audit” means different things to different people.\u00a0 I understand it to mean checking a whole array of configuration settings including:<\/p>\n So, no it’s not an audit script in this sense.\u00a0 It doesn’t set out to do all these things.\u00a0 It checks for a subset of these which relate directly to privilege escalation.\u00a0 It focusses mainly on generic techniques: common misconfigurations and weak file permissions.\u00a0 It doesn’t check for missing patches, however this is difficult to check “on-box” using a single shell script.\u00a0 Checkout exploit-suggester<\/a> if you’re interested in doing this “off-box”..<\/p>\n There are lots of scripts out there that will perform a local security audit for you (Tiger<\/a> and LSAT<\/a> are good examples).\u00a0 Some hoover data so you can analyse it offline, others will analyse it too and present you a nice report.\u00a0 These have their place and I’ll continue to use them.\u00a0 However…<\/p>\n I haven’t found one that gives me a quick list of obvious attack vectors which is written as a single shell script (I hate shell scripts too, but it I wanted a script that would run on virtually any Unix system).<\/p>\n I therefore decided to write unix-privesc-audit to focus on finding misconfigurations that can actually be exploited as opposed to finding all the usual best-practise stuff.<\/p>\n Below is a list of the checks performed by the script.\u00a0 Note that whenever it checks file permissions, it also checks the permissions on the parent directories.\u00a0 When it finds a group-writable file or directory it only flags an issue if that group has more than one non-root member.<\/p>\n If you can write to someone’s home directory, you could add a .rhosts file or .ssh\/authorized_keys file and log in right away; or alter one of the login scripts (e.g. .bash_profile) and have them create an SUID shell when they log in.\u00a0 There are lots of problems if home directories are writable.<\/p>\n The script flags a warning if any home directories are writable by anyone other than the owner or root.<\/p>\n Not so common these days, but could allow you to read password hashes, crack them then log in as other users.<\/p>\n This script checks if the shadow file is readable by non-root users.\u00a0 If it can read the shadow file, it also performs some other checks (see below).<\/p>\n Cron jobs are normally listed in \/etc\/crontab and \/var\/spool\/cron\/crontabs\/.\u00a0 Cron jobs can be run by any user.\u00a0 This script check if cron jobs run programs that can be modified by users other than root and the user the job runs as.<\/p>\n Programs that are run as root are listed in lots of files (\/etc\/init.d\/*, \/etc\/inetd.conf, \/etc\/xinetd.d\/*, etc.)\u00a0 If any of these files are writable by non-root users, this script will flag a warning.<\/p>\n This script checks that device files corresponding to currently mounted file systems (e.g. \/dev\/sda1) aren’t writable.\u00a0 I doubt this happens very often to be honest, but it doesn’t hurt to check.<\/p>\n There can be lots of interesting things in home directories, but this script checks for files that contain passwords (.netrc, .my.cnf) and ACLs (.rhosts, .ssh\/*).\u00a0 If readable these can provide a way access local applications or other local user accounts.<\/p>\n This script does a “ps” listing, attempts to determine the full path of each program running and check if it can be modified by anyone other than the user it’s running as and root.<\/p>\n The script also performs a couple of other checks related to privilege escalation, but not related to file permissions:<\/p>\n Sudo is one of the most obvious ways to escalate privileges if it’s enabled.\u00a0 Sometimes only certain commands can be run, sometimes any command can be run.<\/p>\n If \/etc\/sudoers is readable, this script checks if it’s being used, lists which users can use sudo and which ones can use it without a password.<\/p>\n If \/etc\/shadow is readable, the script lists any accounts without passwords.<\/p>\n It depends largely on the base OS and the amount of configuration an administrator has done (more configuration = more chance of mistakes).\u00a0 If you run it against a fairly modern OS (e.g. Linux, Solaris 9\/10) that hasn’t had much configuration done, then you’re not going to find much.\u00a0 These OSs have faily secure file permissions by default.\u00a0 However, if you run it against Solaris 8 or against a system that has been running for a couple of years and had a lot of configuration done or 3rd party apps installed, then you’ll probably find quite a bit.<\/p>\n I’m ashamed to say that I found a couple of serious misconfigurations in my own Linux box when I ran this script!<\/p>\n Currently only the stuff above is checked.\u00a0 None of the other “traditional audit” stuff is checked.\u00a0 There are also some obvious privilege escalation tactics regarding file permissions which are too hard to script up (for me at least).\u00a0 This list acts as a list of limitations \/ inspiration for manual testing \/ working TODO list:<\/p>\n Yeah, lots and lots of limitations, so make sure you do a manual audit too. \ud83d\ude42 I hope this script saves you some time, though.<\/p>\n","protected":false},"excerpt":{"rendered":" Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2).\u00a0 It tries to find misconfigurations that could allow local unprivilged users to escalate privileges to other users or to access local apps (e.g. databases). It is written as a single shell script so it can be […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[14],"tags":[41,19,76,70],"_links":{"self":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/109"}],"collection":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/comments?post=109"}],"version-history":[{"count":4,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/109\/revisions"}],"predecessor-version":[{"id":580,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/109\/revisions\/580"}],"wp:attachment":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/media?parent=109"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/categories?post=109"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/tags?post=109"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Usage<\/h2>\n
$ .\/unix-privesc-check > output.txt<\/pre>\n
$ .\/unix-privesc-check<\/pre>\n
Starting unix-privesc-check v1.0 ( http:\/\/pentestmonkey.net\/tools\/unix-privesc-check )\r\n\r\nThis script checks file permissions and other settings that could allow\r\nlocal users to escalate privileges.\r\n\r\nUse of this script is only permitted on systems which you have been granted\r\nlegal permission to perform a security assessment of.\u00a0 Apart from this\r\ncondition the GPL v2 applies.\r\n\r\nSearch the output below for the word 'WARNING'.\u00a0 If you don't see it then\r\nthis script didn't find any problems.\r\n\r\nAssuming the OS is: linux\r\n\r\n############################################\r\nChecking if external authentication is allowed in \/etc\/passwd\r\n############################################\r\nNo +:... line found in \/etc\/passwd\r\n\r\n############################################\r\nChecking nsswitch.conf for addition authentication methods\r\n############################################\r\nNeither LDAP nor NIS are used for authentication<\/pre>\n
... lots more output ...<\/pre>\n
What’s the Intended usage of user-privesc-checker?<\/h2>\n
So this is a Unix Audit Script?<\/h2>\n
\n
Why Another Auditing Script?<\/h2>\n
Some Vulnerabilities Introduced Through Weak File Permissions<\/h2>\n
Writable Home Directories<\/h3>\n
Readable \/etc\/shadow<\/h3>\n
Weak Permissions On Cron Jobs<\/h3>\n
Writable Configuration Files<\/h3>\n
Writable Device Files<\/h3>\n
Readable Files In Home Directories<\/h3>\n
Running Processes Correspond To Writable Programs<\/h3>\n
Other Stuff Not Related With File Permissions<\/h2>\n
Sudo Configuration<\/h3>\n
Accounts with no Password<\/h3>\n
How useful is unix-privesc-check in practise?<\/h2>\n
Limitations<\/h2>\n
\n