LES: Linux privilege escalation auditing tool


Quick download:

wget -O


LES tool is designed to assist in detecting security deficiencies for given Linux kernel/Linux-based machine. It provides following functionality:

Assessing kernel exposure on publicly known exploits

Tool assesses (using heuristics methods discussed in details here) exposure of the given kernel on every publicly known Linux kernel exploit. Example of tool output:

$ ./
[+] [CVE-2017-16995] eBPF_verifier
   Exposure: highly probable
   Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,[ ubuntu=14.04 ]{kernel:4.4.0-89-generic},ubuntu=(16.04|17.04){kernel:4.(8|10).0-(19|28|45)-generic}
   Download URL:
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2017-1000112] NETIF_F_UFO
   Exposure: probable
   Tags: [ ubuntu=14.04{kernel:4.4.0-*} ],ubuntu=16.04{kernel:4.8.0-*}
   Download URL:
   Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels
[+] [CVE-2016-8655] chocobo_root
   Exposure: probable
   Tags: [ ubuntu=(14.04|16.04){kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic} ]
   Download URL:
   Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled

For each exploit, exposure is calculated. Following ‘Exposure’ states are possible:

  • Highly probable-极有可能 -经过评估的内核很可能会受到影响,并且PoC漏洞很有可能无需任何重大修改即可立即使用。

  • Probable-可能 -漏洞利用可能会起作用,但很可能需要自定义PoC漏洞以适合您的目标。

  • Less probable – 可能性较小 -需要额外的手动分析以验证内核是否受到影响。

  • Unprobable -极不可能的,内核会受到影响(利用该工具的输出未显示)

Verifying state of kernel hardening security measures

LES can check for most of security settings available by your Linux kernel. It verifies not only the kernel compile-time configurations (CONFIGs) but also verifies run-time settings (sysctl) giving more complete picture of security posture for running kernel. This functionality is modern continuation of --kernel switch from tool by Tobias Klein. Example of tool output:

$ ./ --checksec
Mainline kernel protection mechanisms:
 [ Disabled ] GCC stack protector support (CONFIG_HAVE_STACKPROTECTOR)
 [ Disabled ] GCC stack protector STRONG support (CONFIG_STACKPROTECTOR_STRONG)
 [ Enabled  ] Low address space to protect from user allocation (CONFIG_DEFAULT_MMAP_MIN_ADDR)
 [ Disabled ] Restrict unprivileged access to kernel syslog (CONFIG_SECURITY_DMESG_RESTRICT)
 [ Enabled  ] Randomize the address of the kernel image (KASLR) (CONFIG_RANDOMIZE_BASE)
 [ Disabled ] Hardened user copy support (CONFIG_HARDENED_USERCOPY)


Assess exposure of the Linux box on publicly known exploits:

$ ./

Show state of security features on the Linux box:

$ ./ --checksec

Assess exposure of Linux kernel on publicly known exploits based on the provided ‘uname’ string (i.e. output of uname -a command):

$ ./ --uname <uname-string>

For more usage examples, see here.

1 对 “Linux 提权辅助工具-LES”的想法;