Exploiting SUID Binaries

In addition to the three main file access permissions (read, write and execute), Linux also provides users with specialized permissions that can be utilized in specific situations. One of these access permissions is the SUID (Set Owner User ID) permission.
When applied, this permission provides users with the ability to execute a script or binary with the permissions of the file owner as opposed to the user that is running the script or binary.
SUID permissions are typically used to provide unprivileged users with the ability to run specific scripts or binaries with “root” permissions. It is to be noted, however, that the provision of elevate privileges is limited to the execution of the script and does not translate to elevation of privileges, however, if improperly configured unprivileged users can exploit misconfigurations or vulnerabilities within the binary or script to obtain an elevated session.
This is the functionality that we will be attempting to exploit in order to elevate our privileges, however, the success of our attack will depend on the following factors:
- Owner of the SUID binary – Given that we are attempting to elevate our privileges, we will only be exploiting SUID binaries that are owned by the “root” user or other privileged users.
- Access permissions – We will require executable permissions in order to execute the SUID binary.

Attack Flow for Exploiting SUID Binaries

1. Locate SUID Files

First, find files with the SUID permission set to gain elevated privileges:

find / -perm -u=s -type f 2>/dev/null

This command searches the entire filesystem (/) for files (-type f) with the SUID bit set (-perm -u=s), ignoring error messages (2>/dev/null).

2. Identify File Type

Once you identify a file with SUID set, determine its type using the file command:

file <file_name>

Replace <file_name> with the name of the SUID-enabled file. This command tells you whether the file is a binary, script, or another type.

3. Extract Strings from the Binary

Use the strings command to extract readable strings from the binary file:

strings <file_name>

This helps identify any readable content within the binary, such as file paths or function names.

4. Manipulate Referenced Files

If the strings command reveals references to other files being called by the SUID binary, you can manipulate the original file. For example, you can replace a referenced file with a malicious one like the Bash shell:

cp /bin/bash <original_filename>

Replace <original_filename> with the path and name of the file being referenced by the SUID binary.

5. Execute the SUID Binary

When the manipulated SUID-enabled file is executed, it runs with elevated privileges. By substituting referenced files with malicious alternatives, you can potentially gain a root shell on the system.

Hacker's Mantra:No one messes around with a nerd’s computer and escapes unscathed. - E.A. Bucchianeri

PreviousExploiting Misconfigured Cron Jobs NextLinux Credential Dumping

Last updated 10 months ago

Was this helpful?