Skip to content
Threat Feed
high advisory

Potential Linux Privilege Escalation via Parent/Child UID Change

This brief details a high-severity Linux privilege escalation technique where an attacker, having gained initial access, drops an exploit in a user- or world-writable directory, executes it as a non-root user, and the resulting child process changes its effective user ID to root (UID 0), thereby achieving full system compromise.

This brief describes a critical Linux privilege escalation technique identified by Elastic, focusing on the sequence of events indicative of an attacker gaining root privileges. It involves a non-root user executing a binary from a user- or world-writable location (e.g., /tmp, /var/tmp, /home/*), which then spawns a child process that successfully changes its effective user ID to 0 (root). This methodology bypasses standard security controls and is often seen in local privilege escalation exploits. While specific campaigns are not detailed, this technique is a common post-exploitation step for various threat actors aiming for full system control and persistence on compromised Linux systems, allowing for further malicious activities like data exfiltration or deploying additional malware.

Attack Chain

  1. Attacker establishes initial access to a Linux system as a non-root user.
  2. Attacker stages a local privilege escalation (LPE) exploit binary or script in a user- or world-writable directory, such as /tmp, /var/tmp, or a user's home directory.
  3. The non-root attacker executes the staged exploit from the writable directory.
  4. The executed exploit (parent process) initiates a child process designed to elevate privileges.
  5. The child process successfully changes its effective user ID to 0 (root), indicating a successful privilege escalation.
  6. The attacker gains full root-level control over the compromised Linux system, allowing for arbitrary command execution and system modification.

Impact

A successful privilege escalation to root on a Linux system grants the attacker complete control over the compromised host. This enables arbitrary code execution, installation of persistent backdoors, modification of system configurations, access to sensitive data, and the ability to pivot to other systems within the network. The attacker can evade detection, destroy evidence, or use the system as a launchpad for further attacks. If critical infrastructure or sensitive data stores are targeted, the impact can include severe data breaches, service disruption, and significant financial and reputational damage to the organization. The advisory does not specify observed victim counts or sectors, but successful root access is universally critical.

Recommendation

  • Enable process_creation and uid_change logging on all Linux endpoints, ideally using an EDR solution like Elastic Defend, to detect the sequence of non-root execution followed by UID change to root as described in this brief.
  • Monitor for process execution from world-writable directories such as /tmp, /dev/shm, /var/tmp, /run/user, or /home/*/*, as highlighted by the process.executable and process.parent.executable fields in the EQL query.
  • Investigate immediately any event.action == "uid_change" where user.id == "0" by a child process whose parent executed from an unprivileged location, especially if the process is not a known administrative tool like /usr/bin/sudo or /bin/sudo.
  • Regularly review file ownership, permissions, and timestamps for executables found in user- or world-writable directories to identify suspicious binaries that might be LPE exploits.
  • Ensure that systems are regularly patched, particularly for kernel and userland packages, to mitigate known local privilege escalation vulnerabilities.