Thursday, February 21, 2008


Unix Misconfigurations Checker

Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow local unprivilged users to escalate privileges to other users or to access local apps (e.g. databases).

It is written as a single shell script so it can be easily uploaded and run (as opposed to un-tarred, compiled and installed). It can run either as a normal user or as root (obviously it does a better job when running as root because it can read more files).


unix-privesc-check v1.0 can be downloaded


The download is gzip'd, so gunzip it. Upload it to the server you're auditing / pentesting then just run it:

$ ./unix-privesc-checker > output.txt

The output's a bit messy (it's hard to be neat with shell scripts), so you're probably best to save the output and search it for the word 'WARNING'. If you don't see the word 'WARNING' then the script didn't find anything.

Example:$ ./unix-privesc-check

Intended Usage?

It's intended to be run by security auditors and pentetration testers against systems they have been engaged to assess, and also by system admnisitrators who want to check for "obvious" misconfigurations. It can even be run as a cron job so you can check regularly for misconfigurations that might be introduced.

I wanted to write something that was at least partially useful to pentetration testers when they gained access to a low-privilege account and wanted to escalate privileges. There are lots of things that pentesters will check in this situation and one of the most tedious to check is weak file permissions - this of often one of the most fruitful, though, so there's no avoiding it.


Running this script alone isn't a substitute for proper audit (e.g. following one of the NSA's excellent configuration guides). There are lots of possibilities for escalation that are just too hard to audit using a script. This script is intended to be a shortcut, not a replacement for a proper audit.

No comments: