ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices

原文: https://attack.mitre.org/techniques/T1166

术语表: /attack/glossary

Setuid与Setgid

在Linux或macOS上为应用程序设置setuid或setgid位时,这意味着该应用程序将分别以拥有用户或组的特权运行 。通常,应用程序是在当前用户的上下文中运行的,而不管哪个用户或组拥有该应用程序。在某些情况下,需要在提升权限的上下文中执行程序才能正常运行,但运行它们的用户不需要提升权限。任何用户都可以在自己的应用程序中指定要设置的setuid或setgid标志,而不必在sudoers文件中创建条目(必须由root用户创建)。通过查看文件属性时,这些位用“ s”而不是“ x”表示ls -l。该chmod程序可以经由bitmasking设置这些位,chmod 4777 [file]或通过缩写命名chmod u+s [file]

攻击者可以利用此优势进行shell逃逸或利用具有setuid或setgid位的应用程序中的漏洞来获取在不同用户上下文中运行的代码。此外,对手可以对自己的恶意软件使用此机制,以确保他们将来能够在提升的环境中执行

When the setuid or setgid bits are set on Linux or macOS for an application, this means that the application will run with the privileges of the owning user or group respectively [1]. Normally an application is run in the current user’s context, regardless of which user or group owns the application. There are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges. Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an "s" instead of an "x" when viewing a file's attributes via ls -l. The chmod program can set these bits with via bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file].

An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setsuid or setgid bits to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future

标签

ID编号: T1166

策略: 特权升级,持久性

平台: Linux,macOS

所需权限: 用户

有效权限: 管理员,root

数据源: 文件监视,过程监视,过程命令行参数

程序示例

名称 描述
Keydnap(S0276) Keydnap(S0276) 将setuid标志添加到二进制文件中,以便将来轻松提升。
Name Description
Keydnap(S0276) Keydnap(S0276) adds the setuid flag to a binary so it can easily elevate in the future.

缓解措施

减轻 描述
操作系统配置(M1028) 具有已知漏洞或已知外壳转义的应用程序不应设置setuid或setgid位,以减少应用程序受到威胁时的潜在损害。此外,应在整个系统中最小化设置了setuid或setgid位的程序的数量。
Mitigation Description
Operating System Configuration(M1028) Applications with known vulnerabilities or known shell escapes should not have the setuid or setgid bits set to reduce potential damage if an application is compromised. Additionally, the number of programs with setuid or setgid bits set should be minimized across a system.

检测

监视文件系统中设置了setuid或setgid位的文件。监视实用程序(如chmod)及其命令行参数的执行,以查找要设置的setuid或setguid位。

Monitor the file system for files that have the setuid or setgid bits set. Monitor for execution of utilities, like chmod, and their command-line arguments to look for setuid or setguid bits being se