Local privilege escalation: setuid, excessive permissions and graphical sessions
Local privilege escalation (LPE) is the process by which an attacker elevates their access rights on a system where they already have a foothold. It typically follows an initial compromise (access via a web vulnerability, compromised user account, physical access) and aims to obtain the highest system rights: root on Linux, SYSTEM or local Administrator on Windows.
Misconfigured setuid binaries
The setuid bit allows an executable to run with its owner's rights (typically root) rather than those of the user launching it. It's a legitimate feature used by commands like passwd or sudo. But a custom or misconfigured setuid binary can be exploited to execute commands as root.
Finding exploitable setuid binaries
# Lister les binaires setuid
find / -perm -4000 -type f 2>/dev/null
# Exemples de binaires legítimes courants :
# /usr/bin/passwd, /usr/bin/sudo, /usr/bin/su
# Exemple d'exploitation si /usr/bin/find a le bit setuid :
find . -exec /bin/sh -p \; -quit
# -p préserve le contexte setuid -> shell root
# GTFOBins (gtfobins.github.io) référence les binaires exploitables selon leur contexte
Overly broad sudo permissions
sudo allows users to execute specific commands as root. Overly permissive configurations create escalation vectors. A NOPASSWD: ALL entry grants full root rights without a password. Allowing text editors (vim, nano) or interpreters (python, perl) via sudo allows executing arbitrary commands in their context.
Checking and least privilege principle for sudo
# Voir les permissions sudo de l'utilisateur courant
sudo -l
# Configuration correcte dans /etc/sudoers :
# Autoriser uniquement les commandes nécessaires
john ALL=(root) NOPASSWD: /usr/bin/systemctl restart myservice
# À éviter :
john ALL=(ALL) NOPASSWD: ALL
john ALL=(root) NOPASSWD: /usr/bin/vim # vim peut spawner un shell
Excessive local admins and service accounts
The proliferation of accounts in the local Administrators group is a common risk in Windows environments. Each local admin account is a potential escalation vector. Service accounts running with local administrator rights (or SYSTEM) can be exploited if the service is compromised.
Unrestricted graphical sessions
Graphical sessions (RDP, VNC, X11) opened by privileged users and left unlocked represent a physical and network risk. An attacker who accesses the server via RCE can look for active graphical sessions in memory. Automatic lock policies and inactive session disconnection reduce this exposure.
Summary
- Audit setuid binaries: remove the setuid bit from any binary that doesn't need it
- Least privilege for sudo: explicitly list allowed commands, avoid editors and interpreters
- Limit local admins: apply LAPS on Windows for unique passwords per machine
- Session lock policy: automatically disconnect inactive graphical sessions
Further reading
A question after reading?
Want to assess the privilege escalation surface of your systems? Send a message.
Or book a 30-minute scoping call directly
Book a call →