Friday, September 1, 2017

7 - Linux Security: privilege escalation manipulating a user's UID


In this exercise a Linux Debian server is used:

- By default the only user with UID=0 is the superuser root:

- However, let's see what happens if a user's UID is manipulated and changed to 0.

- Creating a new user marie:

 - Setting a password for the new user :

- Switching the session to the new user:

- The UID for the new user is 1004:

-  Now here comes the tricky part. A user with enough privileges to edit the /etc/passwd could manipulate this file changing the user's UID from 1004 to 0:

- Going to marie's session, let's see that  the user marie is considered exactly like the superuser root:

-  Now the new user's UID is 0, although the IDs for groups have not been changed::

- Actually there are two users (root and marie) with UID=0:

- The fact of owning an UID=0 (regardless of the name of the user) means that marie has full access to commands and files on the system, what can be considered as an example of privilege escalation.

- To restore the default configuration let's edit again /etc/passwd assigning an UID different to 0 to marie:

- Finally the default configuration is restored:

- As a general rule, and with the goal of avoiding privilege escalation, it is recommendable to check periodically that the only user with UID=0 is the root:

- The previous command performs this task:

a) awk               <- pattern scanning and processing language
b) -F:                 <- field
c) '($3 == "0")    <- if the 3rd field is equal to 0
d) print               <- print the line
e) /etc/paswd     <- scanning this file