exploiting suid guid files - dvanmosselbeen/security-cheat-sheet GitHub Wiki
Exploiting SUID/GUID Files
Table of Contents
- Finding and Exploiting SUID Files
- What is an SUID binary?
- Finding SUID Binaries
- Exploitation Examples
- Resources
Finding and Exploiting SUID Files
The first step in Linux privilege escalation exploitation is to check for files with the SUID
/GUID
bit set. This means that the file or files can be run with the permissions of the file(s) owner
/group
. In this case, as the super-user. We can leverage this to get a shell with these privileges!
What is an SUID binary?
As we all know in Linux everything is a file, including directories and devices which have permissions to allow or restrict three operations i.e. read
/write
/execute
. So when you set permission for any file, you should be aware of the Linux users to whom you allow or restrict all three permissions. Take a look at the following demonstration of how maximum privileges (rwx-rwx-rwx
) look:
r
= readw
= writex
= execute
user | group | other |
---|---|---|
rwx | rwx | rwx |
421 | 421 | 421 |
The maximum number of bit that can be used to set permission for each user is 7
, which is a combination of read (4
) write (2
) and execute (1
) operation. For example, if you set permissions using chmod
as 755
, then it will be: rwxr-xr-x
.
But when special permission is given to each user it becomes SUID or SGID
. When extra bit 4
is set to user(Owner) it becomes SUID
(Set user ID
) and when bit 2
is set to group it becomes SGID
(Set Group ID
).
Therefore, the permissions to look for when looking for SUID
is:
- SUID:
rws-rwx-rwx
- GUID:
rwx-rws-rwx
Finding SUID Binaries
We already know that there is SUID capable files on the system, thanks to our LinEnum scan. However, if we want to do this manually we can use the command: find / -perm -u=s -type f 2>/dev/null
to search the file system for SUID/GUID files. Let's break down this command.
find
- Initiates the "find" command/
- Searches the whole file system-perm
- searches for files with specific permissions-u=s
- Any of the permission bits mode are set for the file. Symbolic modes are accepted in this form-type f
- Only search for files2>/dev/null
- Suppresses errors. As without this we will get a lot of
Exploitation Examples
TODO: Find a good example!
For example in this configuration test as root
user I have f*cked up the thing on purpose, for illustrating. By copying bash to a temporary location and set SUID
and GUID
bit:
# whereis bash
bash: /bin/bash /etc/bash.bashrc /usr/share/man/man1/bash.1.gz
# ls -lah /bin/bash
-rwxr-xr-x 1 root root 1.1M Apr 4 2018 /bin/bash
# cp /bin/bash /tmp/
# chmod ug+s /tmp/bash
# ls -lah /tmp/bash
-rwsr-sr-x 1 root root 1.1M Aug 19 08:29 /tmp/bash
Now as simple user executing this copied bash with preserving (-p
) the rights to gain root access:
user8@polobox:~$ /tmp/bash -p
bash-4.4# whoami
root
bash-4.4# id
uid=1007(user8) gid=1007(user8) euid=0(root) egid=0(root) groups=0(root),1007(user8)
bash-4.4#