Question

I am studying privilege escalation techniques on Linux and want to understand how attackers exploit misconfigured SUID binaries. My questions are:

• What are the common SUID misconfigurations that lead to privilege escalation?
• How can an attacker use existing binaries (e.g., find, awk, vim) to gain root access?
• What are the best ways to detect and mitigate these misconfigurations?
  A real-world example of an SUID exploit, along with its remediation, would be useful.

Answer 1

In Unix-like operating systems, the Set User ID (SUID) permission allows users to execute a file with the privileges of the file's owner, often the root user. While this mechanism is essential for certain legitimate functions, misconfigured SUID permissions can be exploited by attackers to escalate their privileges.

1. Common SUID Misconfigurations Leading to Privilege Escalation

Misconfigurations occur when the SUID bit is set on binaries that are either vulnerable or unnecessary:

• Unnecessary SUID Binaries: Executables that don't require elevated privileges but have the SUID bit set can be exploited. For instance, if text editors like vim or utilities like cp have SUID permissions, attackers can leverage them to gain elevated access.

• Vulnerable SUID Programs: Programs with known vulnerabilities that have the SUID bit set can be exploited to execute arbitrary code with elevated privileges.

2. Exploiting SUID Misconfigurations Using Common Binaries

Attackers can utilize existing binaries with SUID permissions to escalate privileges:

• find: The find command can execute other commands. If it has the SUID bit set, an attacker can spawn a root shell:

find . -exec /bin/sh \; -quit

• vim: If vim has SUID permissions, it can be used to read or modify sensitive files:

vim -c ':!/bin/sh'

• awk: With SUID permissions, awk can be exploited to execute commands with elevated privileges:

awk 'BEGIN {system("/bin/sh")}'

For a comprehensive list of exploitable binaries, refer to GTFOBins.

3. Detection and Mitigation of SUID Misconfigurations

• Detection

  • Listing SUID Binaries: Identify all SUID binaries on the system:

    find / -perm -4000 -type f 2>/dev/null

  • Regular Audits: Periodically review SUID binaries to ensure only necessary ones have the SUID bit set.

• Mitigation

  • Removing Unnecessary SUID Bits: For binaries that don't require elevated privileges:

    chmod u-s /path/to/binary

  • Using Alternatives: Replace SUID binaries with safer alternatives that don't require elevated privileges.

  • Monitoring and Alerts: Implement monitoring to detect changes in SUID binaries and alert administrators of unauthorized modifications.

4. Real-World Example: Exploiting a Misconfigured SUID Binary

Consider a scenario where the vim editor has the SUID bit set:

• Exploitation

  1. List SUID binaries to find vim:

     find / -perm -4000 -type f 2>/dev/null | grep vim

  2. If /usr/bin/vim is listed, execute:

     /usr/bin/vim -c ':!/bin/sh'

     This command opens a root shell.

• Remediation

  To prevent this exploitation:

chmod u-s /usr/bin/vim

By understanding and addressing SUID misconfigurations, system administrators can significantly reduce the risk of privilege escalation attacks.