cdemet / unix-privesc-check Goto Github PK

Add support to verify sticky bit on world-writable directories (UPC003)

The first argument to printf is often passed directly from the sudoers file. 
This can cause problems because this file commonly contains % characters for 
group definitions. This is noted in the comment in lib/misc/sudo: "# FIXME this 
printf fails when the an entry starts with percentage character (%) which is 
common for sudoers group".

Fixed this by using a simple format string, "%s", as the first argument. In the 
particular case after the comment I also added a new line to the string to fix 
a bug which leaves the final sudoers entry unprocessed.

Similar fixes should be done throughout the code base, but I just targeted code 
affected by the sudoers file here (privileged_writable really).

It makes sense as those security checks act upon output of privileged_list 
which in time might not only return binary files

I'm receiving syntax errors in some of the checks which use 
`binary_matches_string_grep`. For example, running a check from 
lib/checks/privileged_arguments manually:

 sh-4.3$ y="`binary_matches_string_grep \"/tmp/foo\" \"\$[\{]*[[:digit:]][\}]*\"`"
 sh: \{: syntax error: operand expected (error token is "\{")

Patch attached.

It seems to me that the privileged_environment_variables check will alert for 
any script using $-style variables, not necessarily environment variables. So, 
I'm a bit concerned as to how noisy it will be.

Add Samba library and security check (e.g. check permissions on AD file)

Add security check to verify the following:
* Identify and check for execute and write permissions over all users' home 
directories.
* Identify sensitive files in home directories (.exrc .netrc .rhosts .shosts 
.my.cnf .ssh/authorized_keys .*_history .forward .plan etc) and their 
permissions

I believe there are a couple of deficiencies in the current implementation of 
the privileged_writable check:

1. I think files writable by a low privileged owner should always be a warning, 
not just if YOU are the current owner. If I'm running the tool as the root user 
for auditing purposes then I want to know if a standard user owns a script 
they're permitted to run as root via sudo.

2. Furthermore, if a low privileged user owns a privileged file then it should 
be reported no matter what the current permissions are. This is because the 
owner can just set it to writable if necessary.

3. Similarly to (1), if an untrusted group can write to a privileged file then 
it should be a warning even if the current user isn't a member of the group.

The attached patch will make these changes. In it's current form it only trusts 
the user with ID zero and the main group of the user with ID zero. Hopefully 
this can be improved with configurable trusts in future, see #20.

I also modified some user and group utilities to support the changes:

* Implemented the group_is_root() function by checking against `id -g -n 0`
* Switched user_is_root() and user_is_user_root() to match other 
user_is_user_*() functions which check the current user rather than a supplied 
user.
* Implemented user_is_root()

Add privileged_* security checks to assess scripts:
* Check for straight OS command injections
* Check for race condition bugs (e.g. symlink attack)
* ...

Need option to suppress stdout for empty groups. Why?  pentesters+auditors 
might not care on existing servers (not exploitable). However, if auditing a 
base-build where future group members aren't clear yet, the auditor WILL care. 
Hence we need group-write for empty groups to be suppressable.

We need a list of trusted users and groups. We could use this list to avoid 
reporting write access that the user does not care about.
On Linux root user would be trusted. Root group too probably if it had no 
members.
On AIX the user may consider the bin user to be trusted.

Add security check to verify write permissions over configuration files in /etc

Add inittab library and support in privileged

Add more system_* checks:
* GrSecurity
* Heap hardening
* GCC stack protector
* Strict user copy checks
* Read-only kernel data
* Restricted /dev/mem
* Restricted /dev/kmem

Add library and checks to verify permissions on kernel modules

Add library and check for /etc/fstab (e.g. allowing users to mount file systems)

Add init library and support in privileged

Files that go missing during find e.g. /proc/<n> cause find to generate an 
error.

It would be nice to handle the output more cleanly.

[UPC024] WARNING: Cleartext subversion passsword file: 
/root/.subversion/auth/svn.simple/*

Add NFS library and security check (UPC022)

Add --verbose switch

Download unix-privsec-check version 1.4 and open the file with an editor.
Go to the line 498. 
-----------------------
world_can_read () {
    O_MESSAGE_STACK=$1
    O_FILE=$2

    P=`ls -lLd $O_FILE | cut -c 8`

    if [ "$P" = "w" ]; then
        echo "WARNING: $O_MESSAGE_STACK World read is set for $O_FILE"
    fi
}
------------
The world_can_read function check for the bit 'w' and not the bit 'r'. 
This is wrong, because in this function we are checking for world readable and 
not world writeable files or directories. 

Regards, 
R.
--
Roberto Martelloni \ boos
http://boos.core-dumped.info

What steps will reproduce the problem?
1. chmod o+r /etc/shadow
2. run unix-privesc-check

Expect warning but nothing is noticed by tool but only following output I get:
############################################
Checking if /etc/shadow is readable
############################################
    Checking if anyone except root can read file /etc/shadow


unix-privesc-check 1.4
CentOS 5.10

Add PostgreSQL library and security check (UPC019, UPC020, UPC021)

Inspect users PATH variable: read from /proc/<pid>/environ, ~/.bashrc, 
/etc/profile, .bash_profile

Add NIS security check (UPC009 and UPC011)

Add fscaps security check (UPC043)

Enhance AIX support

Verify cross-platform compatibility on AIX

Add Oracle library and security check

The GNU version of which outputs error messages as follows:

 $ which aaaaaa
 which: no aaaaaa in ...

This isn't handled correctly in lib/misc/file.

Attached patch adds an optional match for "which: " prior to "no ".

Files owned or in the group of a user who no longer exists

Fix privileged_dependency: currently this is the only extremely slow security 
check

I can't see any mention of cron.d within the code, so I am assuming that the 
/etc/cron.d folder isn't inspected for Cron related issues.

Add kernel library to check for system-wide mitigation techniques (UPC031, 
UPC032, UPC033, UPC034, UPC035, UPC036, UPC037, UPC038, UPC039)

Add security check for classpath permissions on Java processes

Add check for R*Services trust relationships (both /etc/hosts.equiv and .rhosts 
files in homedirs)

Add security check privileged_nx (UPC040)

Add xinetd library and support in privileged

process library need to return shell/rb/pl/perl scripts path. At the moment if 
a shell script is being executed, this appears as "/bin/sh my.sh" in the 
process listing and the library returns /bin/sh only

Add LDAP security check (UPC010 and UPC012)

Add security check to inspect block devices (including swap)

Implement file grep caching mechanism: we check some files / dirs multiple times

Add sudo/sudoers security check (UPC017 and UPC018) - use recently developed 
sudo library

Add cron library and support in privileged