Privilege escalation: Difference between revisions

From Hackepedia
Jump to navigationJump to search
← Older edit
Details.
mNo edit summary
 
(2 intermediate revisions by one other user not shown)
Line 1: Line 1:
Privilege escalation is the process by which a user executes [[processes]] with more rights than they normally are entitled to use.  This can be both good and bad.   
Privilege escalation is the process by which a user executes [[process|processes]] with more rights than they normally are entitled to use.  This can be both good and bad.   


For example, allowing a user to change their own password requires write access to the <code>/etc/passwd</code> and/or <code>/etc/shadow</code> file.  Under normal circumstances, users can only read <code>/etc/passwd</code>, and do nothing with <code>/etc/shadow</code>:
For example, allowing a user to change their own password requires write access to the <code>/etc/passwd</code> and/or <code>/etc/shadow</code> file.  Under normal circumstances, users can only read <code>/etc/passwd</code>, and do nothing with <code>/etc/shadow</code>:
Line 12: Line 12:
  -r-sr-xr-x  1 root  bin  25152 Sep 11 20:07 /usr/bin/passwd
  -r-sr-xr-x  1 root  bin  25152 Sep 11 20:07 /usr/bin/passwd


Priviledge escalation is also a frequent goal of a [[cracker]] (causing a [[DoS]] is another).  Typically, a cracker will attempt to exploit a [[bug]] to gain "Unauthorized Priviledge Escalation" (usually targeting the [[root]] user), and so take control of a system.
Priviledge escalation is also a frequent goal of a [[cracker]] (causing a [[DoS]] is another).  Typically, a cracker will attempt to exploit a [[bug]] to gain "Unauthorized Priviledge Escalation" (usually targeting the [[root]] user), in order to take control of a system.


see [[setuid]],[[permissions]].
see [[permissions]] and [[setuid]]
 
 
== perl ==
 
You should also change $( and $) in order to set the real and effective group IDs as well:
($<,$>) = (getpwnam('nobody'),getpwnam('nobody'));

Latest revision as of 10:04, 30 May 2008

Privilege escalation is the process by which a user executes processes with more rights than they normally are entitled to use. This can be both good and bad.

For example, allowing a user to change their own password requires write access to the /etc/passwd and/or /etc/shadow file. Under normal circumstances, users can only read /etc/passwd, and do nothing with /etc/shadow: 

 # ls -l /etc/{passwd,shadow}
 -rw-r--r--    1 root     root         3215 Jun 30 10:28 /etc/passwd
 -rw-------    1 root     root         2829 Oct 24 12:05 /etc/shadow

However, to edit these files, users can run the passwd, which has the setuid bit set. This escalates the priviledge level of the user so that it can perform a very specific action (edit /etc/passswd and /etc/shadow) as the root user: 

$ ls -l /usr/bin/passwd
-r-sr-xr-x  1 root  bin  25152 Sep 11 20:07 /usr/bin/passwd

Priviledge escalation is also a frequent goal of a cracker (causing a DoS is another). Typically, a cracker will attempt to exploit a bug to gain "Unauthorized Priviledge Escalation" (usually targeting the root user), in order to take control of a system.

see permissions and setuid


perl

You should also change $( and $) in order to set the real and effective group IDs as well: 

($<,$>) = (getpwnam('nobody'),getpwnam('nobody'));
Retrieved from "https://hackepedia.org/index.php?title=Privilege_escalation&oldid=4135"