A sample attack
As an example of an attack that allows privilege escalation, imagine that an attacker was able to successfully exploit a bug in an FTP server daemon that would allow him to run commands of his choice as the root user. A smart attacker who wanted to gain full interactive shell access to the system could add a second user with root privileges by executing the following:
useradd -u 0 -g 0 -G 1,2,3,4,6,10 -o -M root2
The above adds a new user named root2
, and sets its user ID (uid) and group ID (gid) to 0
. Since uid 0 and gid 0 are associated with the root user, this creates a second root account. If the attacker is successful in executing the command he will have a shiny new root account waiting for him. There is only one problem—the account is disabled and doesn't have a password set for it. To set a password for an account you would normally use the Linux passwd
command, however this requires that the new password is input at the command line—something which the attacker doesn...