Unix-privesc-check Update: v1.2

I’ve just released version 1.2 of unix-privesc-check.  Download it here.

The following improvements have been made over version 1.1:

* Added check of library dirs (/etc/ld.so.conf) for Linux
* Crude check of programs called from shell scripts
* Check of libraries used by each binary program (using ldd)
* Check of hard-coded paths within binaries (using strings)
* More verbose WARNING messages.  All the explanation for a WARNING
   should now be on one line so you can grep for 'WARNING' and still
   understand the results
* Check of file perms on open file handles of running processes
* Check for running SSH agent.  Lists keys if possible.
* Check for public and private SSH keys in home directories.
* Check for running GPG agent.
* Check for cron jobs in /var/spool/cron/tabs
* Extra non-priv check for local postgres trusts
* Bug fix: lanscan now used on HPUX to get interface names
* Check if system is an NFS client (HPUX only)
* Check if swap space is readable / writable

I must admit that I haven’t tested this version on HPUX and Solaris yet.  You might want to keep version 1.1 around for the time being.  I’ll release a new version as time permits.

It’s worth nothing that the usage has also changed…

unix-privesc-check v1.2 ( http://pentestmonkey.net/tools/unix-privesc-check )

Usage: unix-privesc-check { standard | detailed }

"standard" mode: Speed-optimised check of lots of security settings.

"detailed" mode: Same as standard mode, but also checks perms of open file
                 handles and called files (e.g. parsed from shell scripts,
                 linked .so files).  This mode is slow and prone to false
                 positives but might help you find more subtle flaws in 3rd
                 party programs.

This script checks file permissions and other settings that could allow
local users to escalate privileges.

Use of this script is only permitted on systems which you have been granted
legal permission to perform a security assessment of.  Apart from this
condition the GPL v2 applies.

Search the output for the word 'WARNING'.  If you don't see it then this
script didn't find any problems.


Posted in Blog