pentestmonkey / unix-privesc-check Goto Github PK
View Code? Open in Web Editor NEWAutomatically exported from code.google.com/p/unix-privesc-check
Automatically exported from code.google.com/p/unix-privesc-check
Add library and checks to verify permissions on kernel modules
Original issue reported on code.google.com by bernardo.damele
on 29 Oct 2012 at 11:38
I can't see any mention of cron.d within the code, so I am assuming that the
/etc/cron.d folder isn't inspected for Cron related issues.
Original issue reported on code.google.com by [email protected]
on 3 Dec 2014 at 10:36
Files owned or in the group of a user who no longer exists
Original issue reported on code.google.com by [email protected]
on 13 Sep 2012 at 5:24
Add xinetd library and support in privileged
Original issue reported on code.google.com by bernardo.damele
on 22 Oct 2012 at 8:48
Add Oracle library and security check
Original issue reported on code.google.com by bernardo.damele
on 5 Nov 2012 at 3:33
Files that go missing during find e.g. /proc/<n> cause find to generate an
error.
It would be nice to handle the output more cleanly.
Original issue reported on code.google.com by [email protected]
on 11 Sep 2012 at 9:38
Add PostgreSQL library and security check (UPC019, UPC020, UPC021)
Original issue reported on code.google.com by bernardo.damele
on 22 Oct 2012 at 8:52
It makes sense as those security checks act upon output of privileged_list
which in time might not only return binary files
Original issue reported on code.google.com by bernardo.damele
on 20 Oct 2012 at 11:50
We need a list of trusted users and groups. We could use this list to avoid
reporting write access that the user does not care about.
On Linux root user would be trusted. Root group too probably if it had no
members.
On AIX the user may consider the bin user to be trusted.
Original issue reported on code.google.com by bernardo.damele
on 22 Oct 2012 at 9:11
Verify cross-platform compatibility on AIX
Original issue reported on code.google.com by bernardo.damele
on 22 Oct 2012 at 9:09
What steps will reproduce the problem?
1. chmod o+r /etc/shadow
2. run unix-privesc-check
Expect warning but nothing is noticed by tool but only following output I get:
############################################
Checking if /etc/shadow is readable
############################################
Checking if anyone except root can read file /etc/shadow
unix-privesc-check 1.4
CentOS 5.10
Original issue reported on code.google.com by [email protected]
on 12 Dec 2013 at 12:29
Add security check for classpath permissions on Java processes
Original issue reported on code.google.com by bernardo.damele
on 2 Nov 2012 at 3:44
Add more system_* checks:
* GrSecurity
* Heap hardening
* GCC stack protector
* Strict user copy checks
* Read-only kernel data
* Restricted /dev/mem
* Restricted /dev/kmem
Original issue reported on code.google.com by bernardo.damele
on 1 Nov 2012 at 1:09
Add fscaps security check (UPC043)
Original issue reported on code.google.com by bernardo.damele
on 22 Oct 2012 at 9:01
I'm receiving syntax errors in some of the checks which use
`binary_matches_string_grep`. For example, running a check from
lib/checks/privileged_arguments manually:
sh-4.3$ y="`binary_matches_string_grep \"/tmp/foo\" \"\$[\{]*[[:digit:]][\}]*\"`"
sh: \{: syntax error: operand expected (error token is "\{")
Patch attached.
It seems to me that the privileged_environment_variables check will alert for
any script using $-style variables, not necessarily environment variables. So,
I'm a bit concerned as to how noisy it will be.
Original issue reported on code.google.com by [email protected]
on 2 Mar 2015 at 11:53
Attachments:
Need option to suppress stdout for empty groups. Why? pentesters+auditors
might not care on existing servers (not exploitable). However, if auditing a
base-build where future group members aren't clear yet, the auditor WILL care.
Hence we need group-write for empty groups to be suppressable.
Original issue reported on code.google.com by bernardo.damele
on 22 Oct 2012 at 9:07
Add NFS library and security check (UPC022)
Original issue reported on code.google.com by bernardo.damele
on 22 Oct 2012 at 8:53
Add Samba library and security check (e.g. check permissions on AD file)
Original issue reported on code.google.com by bernardo.damele
on 5 Nov 2012 at 3:35
Add privileged_* security checks to assess scripts:
* Check for straight OS command injections
* Check for race condition bugs (e.g. symlink attack)
* ...
Original issue reported on code.google.com by bernardo.damele
on 1 Nov 2012 at 1:07
Add inittab library and support in privileged
Original issue reported on code.google.com by bernardo.damele
on 1 Nov 2012 at 4:47
Add LDAP security check (UPC010 and UPC012)
Original issue reported on code.google.com by bernardo.damele
on 22 Oct 2012 at 8:48
Add --verbose switch
Original issue reported on code.google.com by bernardo.damele
on 22 Oct 2012 at 9:05
Add init library and support in privileged
Original issue reported on code.google.com by bernardo.damele
on 22 Oct 2012 at 8:45
Add security check privileged_nx (UPC040)
Original issue reported on code.google.com by bernardo.damele
on 22 Oct 2012 at 9:31
Add security check to verify write permissions over configuration files in /etc
Original issue reported on code.google.com by bernardo.damele
on 22 Oct 2012 at 12:44
The GNU version of which outputs error messages as follows:
$ which aaaaaa
which: no aaaaaa in ...
This isn't handled correctly in lib/misc/file.
Attached patch adds an optional match for "which: " prior to "no ".
Original issue reported on code.google.com by [email protected]
on 24 Feb 2015 at 4:23
Attachments:
Add library and check for /etc/fstab (e.g. allowing users to mount file systems)
Original issue reported on code.google.com by bernardo.damele
on 29 Oct 2012 at 11:40
Implement file grep caching mechanism: we check some files / dirs multiple times
Original issue reported on code.google.com by bernardo.damele
on 29 Oct 2012 at 11:44
Enhance AIX support
Original issue reported on code.google.com by bernardo.damele
on 22 Oct 2012 at 9:09
Add security check to inspect block devices (including swap)
Original issue reported on code.google.com by bernardo.damele
on 1 Nov 2012 at 4:38
Add support to verify sticky bit on world-writable directories (UPC003)
Original issue reported on code.google.com by bernardo.damele
on 22 Oct 2012 at 8:50
Fix privileged_dependency: currently this is the only extremely slow security
check
Original issue reported on code.google.com by bernardo.damele
on 1 Nov 2012 at 11:49
Add cron library and support in privileged
Original issue reported on code.google.com by bernardo.damele
on 20 Oct 2012 at 11:53
Add sudo/sudoers security check (UPC017 and UPC018) - use recently developed
sudo library
Original issue reported on code.google.com by bernardo.damele
on 22 Oct 2012 at 8:51
[UPC024] WARNING: Cleartext subversion passsword file:
/root/.subversion/auth/svn.simple/*
Original issue reported on code.google.com by [email protected]
on 9 Nov 2010 at 4:53
Add kernel library to check for system-wide mitigation techniques (UPC031,
UPC032, UPC033, UPC034, UPC035, UPC036, UPC037, UPC038, UPC039)
Original issue reported on code.google.com by bernardo.damele
on 22 Oct 2012 at 8:56
./upc.sh --type all
command leads to the following output:unix-privesc-check v2.1 ( http://code.google.com/p/unix-privesc-check )
lib/checks/enabled/all/credentials: ../../credentials: not found
./upc.sh: credentials_init: not found
./upc.sh: credentials_main: not found
./upc.sh: credentials_fini: not found
lib/checks/enabled/all/gpg_agent: ../../gpg_agent: not found
./upc.sh: gpg_agent_init: not found
./upc.sh: gpg_agent_main: not found
./upc.sh: gpg_agent_fini: not found
lib/checks/enabled/all/group_writable: ../../group_writable: not found
./upc.sh: group_writable_init: not found
./upc.sh: group_writable_main: not found
./upc.sh: group_writable_fini: not found
lib/checks/enabled/all/history_readable: ../../history_readable: not found
./upc.sh: history_readable_init: not found
./upc.sh: history_readable_main: not found
./upc.sh: history_readable_fini: not found
lib/checks/enabled/all/homedirs_executable: ../../homedirs_executable: not found
./upc.sh: homedirs_executable_init: not found
./upc.sh: homedirs_executable_main: not found
./upc.sh: homedirs_executable_fini: not found
lib/checks/enabled/all/homedirs_writable: ../../homedirs_writable: not found
./upc.sh: homedirs_writable_init: not found
./upc.sh: homedirs_writable_main: not found
./upc.sh: homedirs_writable_fini: not found
lib/checks/enabled/all/jar: ../../jar: not found
./upc.sh: jar_init: not found
./upc.sh: jar_main: not found
./upc.sh: jar_fini: not found
lib/checks/enabled/all/key_material: ../../key_material: not found
./upc.sh: key_material_init: not found
./upc.sh: key_material_main: not found
./upc.sh: key_material_fini: not found
lib/checks/enabled/all/passwd_hashes: ../../passwd_hashes: not found
./upc.sh: passwd_hashes_init: not found
./upc.sh: passwd_hashes_main: not found
./upc.sh: passwd_hashes_fini: not found
lib/checks/enabled/all/privileged_banned: ../../privileged_banned: not found
./upc.sh: privileged_banned_init: not found
./upc.sh: privileged_banned_main: not found
./upc.sh: privileged_banned_fini: not found
lib/checks/enabled/all/privileged_change_privileges: ../../privileged_change_privileges: not found
./upc.sh: privileged_change_privileges_init: not found
./upc.sh: privileged_change_privileges_main: not found
./upc.sh: privileged_change_privileges_fini: not found
lib/checks/enabled/all/privileged_chroot: ../../privileged_chroot: not found
./upc.sh: privileged_chroot_init: not found
./upc.sh: privileged_chroot_main: not found
./upc.sh: privileged_chroot_fini: not found
lib/checks/enabled/all/privileged_dependency: ../../privileged_dependency: not found
./upc.sh: privileged_dependency_init: not found
./upc.sh: privileged_dependency_main: not found
./upc.sh: privileged_dependency_fini: not found
lib/checks/enabled/all/privileged_nx: ../../privileged_nx: not found
./upc.sh: privileged_nx_init: not found
./upc.sh: privileged_nx_main: not found
./upc.sh: privileged_nx_fini: not found
lib/checks/enabled/all/privileged_path: ../../privileged_path: not found
./upc.sh: privileged_path_init: not found
./upc.sh: privileged_path_main: not found
./upc.sh: privileged_path_fini: not found
lib/checks/enabled/all/privileged_pie: ../../privileged_pie: not found
./upc.sh: privileged_pie_init: not found
./upc.sh: privileged_pie_main: not found
./upc.sh: privileged_pie_fini: not found
lib/checks/enabled/all/privileged_random: ../../privileged_random: not found
./upc.sh: privileged_random_init: not found
./upc.sh: privileged_random_main: not found
./upc.sh: privileged_random_fini: not found
lib/checks/enabled/all/privileged_relro: ../../privileged_relro: not found
./upc.sh: privileged_relro_init: not found
./upc.sh: privileged_relro_main: not found
./upc.sh: privileged_relro_fini: not found
lib/checks/enabled/all/privileged_rpath: ../../privileged_rpath: not found
./upc.sh: privileged_rpath_init: not found
./upc.sh: privileged_rpath_main: not found
./upc.sh: privileged_rpath_fini: not found
lib/checks/enabled/all/privileged_ssp: ../../privileged_ssp: not found
./upc.sh: privileged_ssp_init: not found
./upc.sh: privileged_ssp_main: not found
./upc.sh: privileged_ssp_fini: not found
lib/checks/enabled/all/privileged_tmp: ../../privileged_tmp: not found
./upc.sh: privileged_tmp_init: not found
./upc.sh: privileged_tmp_main: not found
./upc.sh: privileged_tmp_fini: not found
lib/checks/enabled/all/privileged_writable: ../../privileged_writable: not found
./upc.sh: privileged_writable_init: not found
./upc.sh: privileged_writable_main: not found
./upc.sh: privileged_writable_fini: not found
lib/checks/enabled/all/setgid: ../../setgid: not found
./upc.sh: setgid_init: not found
./upc.sh: setgid_main: not found
./upc.sh: setgid_fini: not found
lib/checks/enabled/all/setuid: ../../setuid: not found
./upc.sh: setuid_init: not found
./upc.sh: setuid_main: not found
./upc.sh: setuid_fini: not found
lib/checks/enabled/all/shadow_hashes: ../../shadow_hashes: not found
./upc.sh: shadow_hashes_init: not found
./upc.sh: shadow_hashes_main: not found
./upc.sh: shadow_hashes_fini: not found
lib/checks/enabled/all/ssh_agent: ../../ssh_agent: not found
./upc.sh: ssh_agent_init: not found
./upc.sh: ssh_agent_main: not found
./upc.sh: ssh_agent_fini: not found
lib/checks/enabled/all/ssh_key: ../../ssh_key: not found
./upc.sh: ssh_key_init: not found
./upc.sh: ssh_key_main: not found
./upc.sh: ssh_key_fini: not found
lib/checks/enabled/all/system_aslr: ../../system_aslr: not found
./upc.sh: system_aslr_init: not found
./upc.sh: system_aslr_main: not found
./upc.sh: system_aslr_fini: not found
lib/checks/enabled/all/system_configuration: ../../system_configuration: not found
./upc.sh: system_configuration_init: not found
./upc.sh: system_configuration_main: not found
./upc.sh: system_configuration_fini: not found
lib/checks/enabled/all/system_libraries: ../../system_libraries: not found
./upc.sh: system_libraries_init: not found
./upc.sh: system_libraries_main: not found
./upc.sh: system_libraries_fini: not found
lib/checks/enabled/all/system_mmap: ../../system_mmap: not found
./upc.sh: system_mmap_init: not found
./upc.sh: system_mmap_main: not found
./upc.sh: system_mmap_fini: not found
lib/checks/enabled/all/system_nx: ../../system_nx: not found
./upc.sh: system_nx_init: not found
./upc.sh: system_nx_main: not found
./upc.sh: system_nx_fini: not found
lib/checks/enabled/all/system_selinux: ../../system_selinux: not found
./upc.sh: system_selinux_init: not found
./upc.sh: system_selinux_main: not found
./upc.sh: system_selinux_fini: not found
lib/checks/enabled/all/world_writable: ../../world_writable: not found
./upc.sh: world_writable_init: not found
./upc.sh: world_writable_main: not found
./upc.sh: world_writable_fini: not found
I believe there are a couple of deficiencies in the current implementation of
the privileged_writable check:
1. I think files writable by a low privileged owner should always be a warning,
not just if YOU are the current owner. If I'm running the tool as the root user
for auditing purposes then I want to know if a standard user owns a script
they're permitted to run as root via sudo.
2. Furthermore, if a low privileged user owns a privileged file then it should
be reported no matter what the current permissions are. This is because the
owner can just set it to writable if necessary.
3. Similarly to (1), if an untrusted group can write to a privileged file then
it should be a warning even if the current user isn't a member of the group.
The attached patch will make these changes. In it's current form it only trusts
the user with ID zero and the main group of the user with ID zero. Hopefully
this can be improved with configurable trusts in future, see #20.
I also modified some user and group utilities to support the changes:
* Implemented the group_is_root() function by checking against `id -g -n 0`
* Switched user_is_root() and user_is_user_root() to match other
user_is_user_*() functions which check the current user rather than a supplied
user.
* Implemented user_is_root()
Original issue reported on code.google.com by [email protected]
on 25 Feb 2015 at 1:30
Attachments:
Add NIS security check (UPC009 and UPC011)
Original issue reported on code.google.com by bernardo.damele
on 22 Oct 2012 at 8:49
Inspect users PATH variable: read from /proc/<pid>/environ, ~/.bashrc,
/etc/profile, .bash_profile
Original issue reported on code.google.com by bernardo.damele
on 29 Oct 2012 at 11:45
Add security check to verify the following:
* Identify and check for execute and write permissions over all users' home
directories.
* Identify sensitive files in home directories (.exrc .netrc .rhosts .shosts
.my.cnf .ssh/authorized_keys .*_history .forward .plan etc) and their
permissions
Original issue reported on code.google.com by bernardo.damele
on 22 Oct 2012 at 12:46
Download unix-privsec-check version 1.4 and open the file with an editor.
Go to the line 498.
-----------------------
world_can_read () {
O_MESSAGE_STACK=$1
O_FILE=$2
P=`ls -lLd $O_FILE | cut -c 8`
if [ "$P" = "w" ]; then
echo "WARNING: $O_MESSAGE_STACK World read is set for $O_FILE"
fi
}
------------
The world_can_read function check for the bit 'w' and not the bit 'r'.
This is wrong, because in this function we are checking for world readable and
not world writeable files or directories.
Regards,
R.
--
Roberto Martelloni \ boos
http://boos.core-dumped.info
Original issue reported on code.google.com by [email protected]
on 21 Mar 2014 at 10:27
The first argument to printf is often passed directly from the sudoers file.
This can cause problems because this file commonly contains % characters for
group definitions. This is noted in the comment in lib/misc/sudo: "# FIXME this
printf fails when the an entry starts with percentage character (%) which is
common for sudoers group".
Fixed this by using a simple format string, "%s", as the first argument. In the
particular case after the comment I also added a new line to the string to fix
a bug which leaves the final sudoers entry unprocessed.
Similar fixes should be done throughout the code base, but I just targeted code
affected by the sudoers file here (privileged_writable really).
Original issue reported on code.google.com by [email protected]
on 24 Feb 2015 at 4:20
Attachments:
process library need to return shell/rb/pl/perl scripts path. At the moment if
a shell script is being executed, this appears as "/bin/sh my.sh" in the
process listing and the library returns /bin/sh only
Original issue reported on code.google.com by bernardo.damele
on 29 Oct 2012 at 9:36
Add check for R*Services trust relationships (both /etc/hosts.equiv and .rhosts
files in homedirs)
Original issue reported on code.google.com by bernardo.damele
on 29 Oct 2012 at 11:39
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.