Abuse Elevation Control Mechanism: Sudo и кэширование sudo
Other sub-techniques of Abuse Elevation Control Mechanism (6)
Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
Within Linux and MacOS systems, sudo (sometimes referred to as "superuser do") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo
command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments."(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout
, which is the amount of time in minutes between instances of sudo
before it will re-prompt for a password. This is because sudo
has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo
with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets
variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).
The sudoers file, /etc/sudoers
, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL
.(Citation: OSX.Dok Malware) Elevated privileges are required to edit this file though.
Adversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo
's timestamp can be monitored to see if it falls within the timestamp_timeout
range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets
is disabled, adversaries can do this from any tty for that user.
In the wild, malware has disabled tty_tickets
to potentially make scripting easier by issuing echo \'Defaults !tty_tickets\' >> /etc/sudoers
.(Citation: cybereason osx proton) In order for this change to be reflected, the malware also issued killall Terminal
. As of macOS Sierra, the sudoers file has tty_tickets
enabled by default.
Примеры процедур |
|
Название | Описание |
---|---|
Cobalt Strike |
Cobalt Strike can use |
Proton |
Proton modifies the tty_tickets line in the sudoers file.(Citation: objsee mac malware 2017) |
Dok |
Dok adds |
Контрмеры |
|
Контрмера | Описание |
---|---|
Restrict File and Directory Permissions |
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts. |
Operating System Configuration |
Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques. |
Privileged Account Management |
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
Обнаружение
On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT
and LOG_OUTPUT
directives in the /etc/sudoers
file.
Ссылки
- Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually Does. Retrieved March 19, 2018.
- Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web traffic. Retrieved July 10, 2017.
- Todd C. Miller. (2018). Sudo Man Page. Retrieved March 19, 2018.
- Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
- Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
- fluffybunny. (2019, July 9). OSX.Dok Analysis. Retrieved October 4, 2021.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.