Local privilege escalation (LPE) is a method of leveraging the vulnerabilities available in the way of handling code or services that manage standard or guest users to different tasks for the system or change privileges from the user root to root or administrator user. These undesired changes could lead to a violation of permissions or privileges as the normal users can tamper the system because they have got permission to the shell or root. Therefore, anybody can gain vulnerability and exploit it to get access to a higher level.
In computers, there are permissions, rights, or features that are given to the users or groups to run and perform special tasks to run the privilege as a special user or group. As such, an administrator user has permission to run and write a particular service. However, a standard user could only run the service and do not have permission to write special services or write configuration files.
Understanding Privileges and Permissions
There are three permissions, including reading, write, and execute, which are described below:
- Read permission: As the name suggests that any user could only have the privilege only to view or read the contents of the file as well as the list of the contents of a directory.
- Write permission: With the write permission, a user can read as well as modify the content of a file and the directory.
- Execute permission: Execute permission allows any users to execute a file, program, or a script. With this permission, a user can convert an existing directory as well as make the existing directory as a working directory.
Anyone with the knowledge of vulnerability in the code flow of the running service or program can extend their privileges to root or admin.
Various methods are used to increase users’ privileges, such as PowerShell, executable binaries, Metasploit modules, etc. Anybody creates their methods to configure victims’ machine or server settings to work or interact with services. They need to check their permissions of the current user such as file writable, file readable, token generation, token theft; etc. Hackers can maintain access and control over all services and make them more vulnerable to ever being exploitative.
The Windows and Unix systems become insecure if services and permissions are not maintained properly and have permissions for world-writing. Therefore, anyone can write their scripts for execution purposes. This can cause great damage or vulnerability in the case of network services, and they can also trap victims’ confidential data or alter the flow of data, which can be a big loss.
Example: If we get into the guest user’s shell and need to get the privileges of the standard user, then, we rearrange the services or programs run by the standard user and are writable or manageable by the guest user. We found a service running as a standard user, and its script was loaded with a world-writable dir, then, we could replace the script with our payload and whenever the service loaded our script the standard Is opened or privileged.
Benefits For A Hacker
- If a hacker lands in a system with the guest or standard user privileges, then they can obtain information by running services or programs that are vulnerable to the vulnerability of privilege enhancement and the administrator is running the user or the administrator Groups are allowed.
- Hackers to execute their code or services to take control of the target system Cation can take advantage of.
Before 5.1.17 in the Linux kernel, ptrace_link in the kernel / ptrace.c falsified the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to gain fixed access with parent-child root access. It allows obtaining a process relationship, where a parent relinquishes the privilege and executes the call (potentially controlled by an attacker Allows testing). A contributing factor is an issue of life (which can cause a panic). Another contributing factor is a misidentification of a ptrace connection as a privileged, which is exploitative (for example) through the Polkit’s pkexec assistant with PTRACE_TRACEME.
Proof Of Concept: https://youtu.be/-H-SVW1_-w0