RE: Any suggests about a possible LRE (local root escalation)
- From: "Paul Melson" <pmelson@xxxxxxxxx>
- Date: Thu, 22 Feb 2007 11:26:42 -0500
We are pen-testing a couple of a company webserver that hosts somethinglike many thousand websites. We
got a shell working through a remote file inclusion vulnerability wefound. We are in but there seems to
be no apps we could "use" to gain a root escalation from the locallow-priviledges shell. OS is centOS
4.4 and kernel is 2.6.9-42.0.3.ELsmp. Do you have any ideas to gain a rootescalation over this
OS/kernel configuration?
An easy thing to do would be to configure Nessus local scans (they have a
CentOS category I believe) with your shell configuration and have Nessus ssh
into the box and check for unpatched vulns. That should take all of 10
minutes and might yield an unpatched local root.
Next step might be 'find / -type f -perm -4000' and start overflowing
command line arguments until something segfaults.
There are usually lots of ways to get root from a local shell, especially if
the box hasn't been hardened from its default configuration. Try and figure
out what cron jobs run, what files they touch, look at /tmp, etc.
PaulM
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
- References:
- Prev by Date: windows 2003 server
- Next by Date: Re: DNS mapping
- Previous by thread: Any suggests about a possible LRE (local root escalation)
- Next by thread: Re: Any suggests about a possible LRE (local root escalation)
- Index(es):
