avatar
oxasploits
one zero day at a time
  • HOME
  • SERVICES
  • CATEGORIES
  • ARCHIVES
  • WORDLISTS
  • EXPLOITS
  • UPTIME
  • GITHUB
  • PRIVACY
  • ABOUT
  • PREVIOUS ENEAVORS
Home Enumerating SUID files targeted for priv esc
Post
Large Logo

Enumerating SUID files targeted for priv esc

By Marshall Whittaker
Posted Nov 15, 2022 Updated Mar 13 3 min read
exploit LPE privesc suid sgid files root
If you enjoy my work, please donate! I work hard keeping oxasploits running!
Bitcoin Donation Address:
bc1qclqhff9dlvmmuqgu4907gh6gxy8wy8yqk596yp
You can also sponsor me on GitHub!
Thank you so much and happy hacking!

SUID bit

Background

One of the methods hackers utilize in getting root, or escelating of their priveleges on a system of some kind, is to explot system binaries that are set to run as a user other than them, preferably with higher security clearence. These files on Unix and Linux are called “set uid” or “suid” files, if their suid bit is set. This will allow that binary to start up as whichever user owns the file, instead of the user that runs the file, as usual. This can be dangerous, because a few tools layng around the system are owned by root, with their suid bit set, so that you can perform certain actions as a user you wouldn’t normally be able to, without using sudo.

It is essential to the operating systems function sometimes, so don’t go randomly removing all suid bits! But be aware of this, and be aware that if a program that has it’s suid bit set, and is owned by root, has a vulnerability in it’s code, then a hacker can use that binary to gain root privs on the machine.

Using the find command

One of the tools that is installed on almost every Unix and Linux system that I have ever used, is called find. It is super useful for a variety of reasons, and is not necessarily a security tool, but comes in extremely handy for some security things. Here I will show you how you can list files around the system with their suid (set user id) or sgid (set group id) bits set. After you find them, you can usually read the man page and it will tell you why this file has that bit set by default.. or if it should not!

find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;

A breif walkthrough of this find command (yes, they can become pretty clunky and complex):

The forward slash is your directory under which you want to recursively look.
The -type f means to search for files only (not directories or links)
The parentesis means search group.
We have -perm and it’s mask for each uid and gid.
It runs ls -l on its own output for reach file to show you the actual permissions on each.

Elaborating on this

We can also look inside .deb archives on a Debian based system (such as Ubuntu, Kali, etc), and see which files contained within each package have a suid binary that will be installed by default. If you can get your beloved sysadmin to install a legit binary that you know is vulnerable…

This took a little bit of code, modified from a much less streamlined version I dumped on GitHub long ago:

#!/bin/bash
# big house 5 cars your in charge
# comin up in the world, dont trust nobody
# look over your shoulder constantly
PKG=$(apt-cache search . | cut -f 1 -d ' ');
for i in ${PKG[@]}; do
 apt-get download $i;
dpkg -c *.deb | cut -c 4- | grep ^s | cut -f 2 -d '.' | tee -a deb_suid_root.txt
rm *.deb
done

This will take what the kids today call a “hot minute”. However, I have ran it on my Ubuntu Jammy development VPS and published the output.

Wrapping up

So hopefully you’ve found some juicy suid 0 binaries you can work on exploiting. If you are on the defensive side of this, flipping a file’s mode back to execute instead of suid is as easy as sudo chmod u-s filename (for a SUID) or sudo chmod g-s (for a SGID respectively). Go get ‘em!

exploit
This post is licensed under CC BY 4.0 by the author.
Share
Recently Updated
  • Enumerating SUID files targeted for priv esc
  • Writing the shortest valid C quine
  • I Hacked a Bank and Got Arrested in 2012
  • Advanced Fuzzing Techniques in ansvif
  • Fuzzotron and Radamsa pcap testcases
Trending Tags
exploit vulnerabilities PoC code-injection config perl walkthrough 0day bitcoin blueteam


  

Further Reading

Nov 17, 2021

Bash wildcard expansion globbing abuse

Background A lot of my research into bugs goes unfounded, and very seldom do I find a bug by actually looking for it, so much as it was just a typo or something. So when I realized that the wildc...

Apr 15, 2021

Advanced Fuzzing Techniques in ansvif

Prerequisites This article references both ansvif and radamsa which need to be downloaded from github and gitlab respectively and compiled for all this to work. Update: I have another artilce on ...

Sep 14, 2021

A shadow-utils BoF whitepaper

Background A while back an old friend had asked me if I had a chfn bug. I could see why he wanted one, I mean, a suid 0 binary on every system? Wow yeah, but sadly no, at the time I did not have o...

Lock binaries in memory using vmtouch cache

Backdoors embedded along side installers

© 2023 Marshall Whittaker. Some rights reserved.

   | Home | Services | About | Wordlists | GitHub |
| Exploits | Services | Privacy| Endeavors | Status |