SUID Binaries
Theory
SUID/Setuid stands for "set user ID upon execution", it is enabled by default in every Linux distributions. If a file with this bit is run, the uid will be changed by the owner one. If the file owner is root
, the uid will be changed to root
even if it was executed from user bob
. SUID bit is represented by an s
.
Practice
Misc SUID Binaries
We can use this command to find all SUID binaries
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
find / -perm -4000 -type f 2>/dev/null
No Command Path Exploit
If a suid binary executes another command without specifying the path. We can abuse it and get a privilege escalation.
You may use strings
to spot other binaries calls, or do some reverse engineering on the suid binary.
strings ./the-suid-bin
...
find
...
Functions Export Exploit - Full Path Binary
If the suid binary executes another command specifying the full path, then, we can try to export a function named as the command that the suid file is calling.
You may use strings
to spot others binary/command calls, or do some reverse engineering on the suid binary.
strings ./the-suid-bin
...
/usr/sbin/service apache2 start
...
Shared Library Hijacking
If you find some binary with SUID permissions, you could check if all the .so files are loaded correctly
strace the-suid-bin 2>&1 | grep -i -E "open|access|no such file"
You also could check if the SUID binary is loading a library from a folder where we can write:
# Lets find a SUID using a non-standard library
ldd the-suid-bin
something.so => /lib/x86_64-linux-gnu/something.so
# The SUID also loads libraries from a custom location where we can write
readelf -d the-suid-bin | grep PATH
0x000000000000001d (RUNPATH) Library runpath: [/development]
Alternatively, you could use the strings
command to find used shared library
strings ./the-sudo-bin | grep -i '*.so*'
References
Last updated
Was this helpful?