Frameworks information gathering tool

Linux Exploit Suggester: Linux privilege escalation auditing tool

Linux Exploit Suggester
Written by Mubassir patel

Linux Exploit Suggester: Linux privilege escalation auditing tool

Quick download:

wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh

Purpose

Often during the penetration test engagement the security analyst faces the problem of identifying privilege escalation attack vectors on tested Linux machine(s). One of viable attack vectors is using publicly known Linux exploit to gain root privileges on tested machine. The linux-exploit-suggester.sh tool is designed to help with these activities.

Overview

The tool is meant to assist the security analyst in his testing for privilege escalation opportunities on Linux machine, it provides following features:

“Remote” mode (–kernel or –uname switches)

In this mode the analyst simply provides kernel version (--kernel switch) or uname -a command output (--uname switch) and receives list of candidate exploits for a given kernel version.

Using this mode one can also check for candidate user space exploits (with --pkglist-file switch) if he has access to installed packages listing (output of dpkg -l/rpm -qa commands) of examined system.

“Direct” mode (default run)

So for example for ‘af_packet’ exploit which requirements looks like this:

Reqs: pkg=linux-kernel,ver>=3.2,ver<=4.10.6,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1

the script (in addition to checking kernel version) will check if target kernel was built with CONFIG_USER_NS and if sysctl entry kernel.unprivileged_userns_clone is enabled. Optionally those additional checks can by skipped by running with --skip-more-checks command line switch.

By default tool also checks for applicable user space exploits when distribution is one of Debian, Ubuntu, RHEL/CentOS/Fedora. To skip user space exploits checks one can run with --kernelspace-only switch.

Example of script’s output in this mode:

Linux Exploit Suggester

Tips, limitations, caveats

  • Remember that this script is only meant to assist the analyst in his auditing activities. It won’t do the all work for him!
  • That’s the analyst job to determine whether given target at hand isn’t patched against generated list of candidate exploits (the script doesn’t look at distro patchlevel so obviously it won’t do that for you)
  • In addition to manual inspection Oracle’s Ksplice Inspector could come handy with determining the previous one
  • Selected exploit almost certainly will need some customization to suit your target (at minimum: correct commit_creds/prepare_kernel_cred pointers) so knowledge about kernel exploitation techniques is required

Usage

List of possible exploits:

$ ./linux-exploit-suggester.sh

As previously but only userspace exploits are checked:

$ ./linux-exploit-suggester.sh --userspace-only

Check if exploit(s) for given list of CVE IDs are available:

$ ./linux-exploit-suggester.sh --cvelist-file <cve-listing-file> --skip-more-checks

Generate list of CVEs for the target kernel and check if exploit(s) for it exists (also performs additional checks):

$ (uname -s; uname -m; uname -r; uname -v) | curl -s https://api-ksplice.oracle.com/api/1/update-list/ -L -H "Accept: text/text" --data-binary @- | grep CVE | tr ' ' '\n' | grep -o -E 'CVE-[0-9]+-[0-9]+' | sort -r -n | uniq > <cve-listing-file>
$ ./linux-exploit-suggester.sh --cvelist-file <cve-listing-file>

List available hardware/kernel security mechanisms for target machine:

$ ./linux-exploit-suggester.sh --checksec

Running with -k option is handy if one wants to quickly examine which exploits could be potentially applicable for given kernel version (this is also compatibility mode with Linux_Exploit_Suggester):

$ ./linux-exploit-suggester.sh -k 3.1

With --uname one provides slightly more information (uname -a output from target machine) to linux-exploit-suggester.sh and receives slightly specific list of possible exploits (for example also target arch x86|x86_64 is taken into account when generating exploits list):

$ ./linux-exploit-suggester.sh --uname "Linux taris 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:43:14 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux"

Optionally --pkglist-file <file> could be provided to -k or --uname to also check for user space exploits:

(remote machine) $ dpkg -l > dpkgOutput.txt
$ ./linux-exploit-suggester.sh --uname "Linux taris 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:43:14 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux" --pkglist-file dpkgOutput.txt

In terms of generated list of exploits its identical with executing (directly on the given remote machine):

(remote machine) $ ./linux-exploit-suggester.sh --skip-more-checks

Sometimes it is desired to examine only package listing (in this case only check for userspace exploits is performed):

(remote machine) $ dpkg -l > dpkgOutput.txt
$ ./linux-exploit-suggester.sh --pkglist-file dpkgOutput.txt

handy for quick preliminary checking if any package for which user space exploit is available is installed

$ ./linux-exploit-suggester.sh --pkglist-file dpkgOutput.txt --skip-pkg-versions

sources for possible exploits are downloaded to current directory (only kernel space exploits are examined):

$ ./linux-exploit-suggester.sh --fetch-sources --kernelspace-only

full details (like: kernel version requirements, comments and URL pointing to announcement/technical details about exploit) about matched exploits are listed:

$ ./linux-exploit-suggester.sh -k 4.1 --full

binaries for applicable exploits are downloaded (if available) to current directory, additional checks are skipped:

$ ./linux-exploit-suggester.sh --fetch-binaries --skip-more-checks

Note however that --fetch-binaries is not recommended as it downloads binaries from generally not trusted sources and most likely these binaries weren’t compiled for your target anyway.

About the author

Mubassir patel

Mubassir is a founder and developer of this site. He is a computer science engineer. He has a very deep interest in ethical hacking, penetration testing, website development and including all technology topic.

Leave a Comment