Permission Vulnerabilities - Foren-Ken/tech-journal GitHub Wiki

What are permission vulnerabilities?

These vulnerabilities arise when permissions aren't set using the principle of least privilege. This makes it too much power is given to user which do not require it to function, making the attack surface much larger.

How to set and understand vulnerabilities:

Every file on Linux has permission groupings, often seen as something like this:
-rwxrwxrwx
But more commonly, it will be seen as this:
-rwxr-x-r-x

These groups are make of four different parts:
-File Type
1st rwx is Owner Privileges
2nd rwx is Group Privileges
3rd rwx is Other Privileges

Each of these parts, besides the first file type, can be seen as three bits. When a permission is active, the bit is 1, and when inactive, the bit is 0:
This would make the permission rwxrwxrwx equal to 111 111 111 or 7 7 7.
Using the same process, the permission rwxr-x-r-x is equal to 111 101 101 or 7 5 5
As a final example, the permission rwxr----x would be equal to 111 100 001 or 7 4 1

There is another letter beyond the rwx, and that is "s". This new letter stands for "setuid" or set user ID for the file. When this is set, when the file is executed, it will have the same permissions of the owner or group which the file is part of (this is determined by the following command).
sudo chmod u+s testfile When executed, will use the permissions of the file owner.
sudo chmod g+s testfile When executed, will use the permissions of the group which has access to the file.

The effects of this file can be seen since an "s" will replace the "x" of either the group or owner permission.
image

How to discover permission vulnerabilities:

Often, an ethical hacker would not have access to privileged accounts, but instead a normally privileged account. This makes it so it is not possible to run any commands like sudo, cat /etc/shadow, or other command requiring privileges. This can be bypassed if the underprivileged account has access to a file which is configured improperly. This could be a file with a setuid of a root user while having read/write/execute permissions for everyone. This allows the underprivileged user act as sudo without needing access to the account. A command to do this is as follows:
find / -perm -u=s -type f 2>/dev/null

The "/" is the root directory for the "find" to start.
The "-perm" will look for the next permission"
The "-u=s" will look for files with "s" permissions under the owner.
The "-type" will look for a specific file type, in this case its "f" for normal file.
The "2>/dev/null" will send all error encounters to "/dev/null" which is like a trashcan.

This command can be changed by modifying the "-u=s" portion to look for any file depending on the permissions. If someone wanted to discover a file with the group permission being "s" they could use "-g=s" instead. If they want to find a file which is writable by the underprivileged user, they could use "-o=w".