Sunday, July 20, 2014

Privilege Escalation by Exploiting SUID Binaries


There might be situations where unprivileged users need to complete tasks which needs privileges. Best examples might be ping, passwd etc.

Understanding File Permissions
There are three permission types
r - read
w - write
x - execute
_ rwx r_x __x 

Brown underscore indicates file type (d - directory, l - link, p - pipe etc.), rwx in yellow indicates permissions for file owner or User, r_x in green indicates Group permissions, __x in blue indicates  permissions for all Other users.

                                         Figure. Program to demo SUID exploitation

test_suid.c is a demo exploit file can be compiled using GCC
# gcc test_suid.c -o test_suid
Compiling as root user to make sure file is owned by root.

When test_suid binary is executed without SUID bit set, we still have prdarsha user permissions.

                                          Figure.Executing binary with SUID bit not set

Now lets execute test_suid binary after setting SUID bit which will escalate the privilege from notmal user to root user.
File permissions can be set using below command (also refer Figure. File Permissions)
# chmod u+s test_suid

                                          Figure. Executing binary with SUID bit set

Checking the permissions of important file like passwd
                                          Figure. File Permissions

Finding all executable's which have SUID bit set
find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls -lg {} \;