For those seasoned nix users and admins, the concept of special permissions is not a new topic, however when it comes to evaluating a nix system upon engagement, paying special attention to how these permissions are setup can sometimes lead to privilege escalation, through misconfiguration.
Linux File Permissions
In order to understand just what a linux special permission is, we first have to unpack the concept of permissions within a Linux file system.
Permissions, within Linux file systems provide a level of access control to files through assignment of three basic file permission types:
Read (r) - Allows for a user the ability to read the associated file
Write (w) - Allows for a user the ability to write to an associated file
Execute (x) - Allows for a user the ability to execute an associated file
Moreover these file permission can be granted to groups, where again this comes in threes
Owner (u) - This group encompasses the original creator of the file by default
Group (g) - This group encompasses a group of users
All Users (o) - This group describes all other users within the system
To view the current permissions of a file within the system, a quick ls -l can be used to view these permissions
Breaking down the above image:
In the above example the file "file.txt" is of type file (denoted by the first '-'). The user (u) has read/write permissions. The group (g) has read/write permissions and all other users (o) have read permissions. The user in this case is 'ubuntu', denoted by the enrty in the third field and the group is 'ubuntu' shown by the entry in the 4th field.
Allocating Linux File Permissions
To assign linux file permissions we have to get a grasp on two main 'modes' of operation, namely Absolute (numeric) and Symbolic. In Linux the method in which to assign permissions to a file is through the use of the CHMOD (change mode) utility.
Absolute Mode (numeric)
This mode of operation uses the concept of the octal numbering system to allocate permissions, let's break this down a little bit.
The Octal Numbering System is the numbering system also known as base8. This contrasts to our standard numbering system base10, where in base10 we utilise numbers between 0-9 in combination, base8, simply uses numbers between 0-7 to represent a valid numeral.
In order to further understand this, let's use a file permission of rwx as an example and see how Linux Represents each file permissioning attribute using the Octal Numbering System. If we consider the highest value within the system i.e. 7 and we break this down into three silo's we find that the best way to represent this is to consider each permission being represented by a binary representation.
Lets look at an example.
Read is represented by the value 4, which in binary is 100
Write is represented by the value 2, which in binary is 010
Execute is represented by the value 1, which in binary is 001
Now, lets say we only wanted to assign the user (u) read permissions, we can use the Absolute mode of linux permissioning to assign a 4 to the user bit
Example
chmod 400 file.txtThis resultant file permission will be read for the user and no other permissions for group or other.
If we wanted to set a combination of both read and write, first need to work out the octal representation for this.
Read = 4
Write = 2
So combining these gives us 6
chmod 600 file.txtSymbolic Mode
This mode of setting Linux File permissions uses 'symbols' to assign permissioning to file for specific users, where Linux will take care of the mathematics for you. It allows for the use of an specific operator used to set things as you see fit.
Operators
'+' - Adds a permission to a file or directory
'-' - Removes a permission from a file or directory
'=' - Sets permissions and overwrites existing permissions
Users (Owners)
'u' - User/Owner
'g' - Group
'o' - All other users on the system
'a' - User, group and other will be set
Let's say we wanted to copy the above and assign the user (u) read permissions, we can do this using the following syntax
Example
chmod u+r file.txtSetting the combination of both read and write can be achieved like this
chmod u+rw file.txtNow that we have a basic understanding of how Linux File Permissions are allocated and assigned, lets look into the fourth permission type.
Special Permissions
Special file permissions are used to allocate additional privileges to files and directories, where each of these special permissions corresponds to the previously mentioned access level, namely User, Group and Other
SUID - This special permission can be allocated at the user (u) level and simply allows execution of the file as the user who owns the file
SGID - Allows execution of the file as the group that owns the file and if set on a directory will allocate the ownership of newly created files to the group ownership of the directory
Sticky - Restricts deletion of a file to the original owner (and root) of that file
The special file permissions are allocated using the most significant bit within the file attribute
SUID = 4
SGID = 2
Sticky = 1
Lets allocate the SUID bit, using both Absolute and Symbolic modes. We will also set the read, write and execute attribute of the file aswell to the user (u)
Using Absolute Mode
chmod 4700 file.txtUsing Symbolic Mode
chmod u+rws file.txtHow to capitalise on this upon engagement
Ultimately it may be possible to escalate privileges when weak permissions are found on a target system. There are many examples out there that prove this to be true.
Our following example uses the concepts learnt within this blog, to first search for file types that contain the special linux permission and then subsequently uses this weakness to escalate privilege from low to root for the win !
We utilise the find command to first search for interesting file types
find -perm -u=s -type f 2>/dev/null
./home/ubuntu/file-permissions/shell
./bin/mount
./bin/fusermount
./bin/umount
./bin/su
./bin/ping
./usr/bin/find
./usr/bin/chfn
./usr/bin/newgidmapWe stumble across many of these types of files as listing above.
We hone in on the find utility, which has the facility to execute commands within its syntax. As the find command has the SUID bit set it can be used to execute a command in the context of the root user.
ls -al /usr/bin/find
-rwsr-xr-x 1 root root 238080 Nov 5 2017 /usr/bin/findWe can now execute using the following syntax
whoami
ubuntu
touch randomfile
find randomfile -exec "whoami" \;
rootSummary
As can be seen in this short Linux refresher, Linux Permissions, if not configured securely can lend themselves to misuse and in some cases full system compromise. The Security Team hope that this information was found to be useful and thank-you for broadening your knowledge through curiosity.