SUid and privilege Escalation (or how to not @#$% up your Linux Server :-)

What is SUID in Linux?

SUID (Set User ID) is a special permission bit in Linux/Unix systems that allows users to execute a file with the permissions of the file owner, instead of the permissions of the user running the file. This is particularly useful for allowing non-privileged users to execute tasks that require elevated privileges.

• The SUID bit is represented by the character s in the file's permissions:

    -rwsr-xr-x 1 root root 12345 Jan 20 20:25 /path/to/suid_program
  

  Here, the s in the owner’s execute position (rws) indicates the SUID bit is set.

• If the s appears in the group or other execute positions, this indicates a misconfiguration or mistake.

How SUID Helps in Privilege Escalation

When a program with the SUID bit set is executed, it runs with the privileges of the file owner (commonly root). If the program is vulnerable or misconfigured, attackers can exploit it to gain elevated privileges, including root access.

Examples of SUID Misuse for Privilege Escalation

1. Basic Exploitation of SUID Binaries

• Misconfigured SUID Program: If a program allows users to execute arbitrary shell commands, attackers can spawn a root shell.

• Example:

    # Binary with SUID
    -rwsr-xr-x 1 root root 12345 Jan 20 20:25 /usr/bin/vulnerable_binary
  

  If the program allows command injection:

    /usr/bin/vulnerable_binary '$(/bin/bash)'
  

  The attacker gains a root shell.

2. Unintended Behavior in SUID Programs

• Example: A program uses the system() call to execute shell commands without sanitizing user input. If the attacker can control the input, they can execute arbitrary commands with root privileges.

3. CVE-2016-7097: Exploiting libuser

• Vulnerability: The libuser library mishandled certain inputs when creating user accounts. Programs using this library could be exploited to gain root privileges.

• Impact: Attackers with local access could craft inputs to escalate their privileges.

4. CVE-2019-14287: Sudo Privilege Bypass

• Details: If the sudo configuration allowed a user to run commands as any user except root, it could still be exploited to run as root by specifying the user ID -1 or 4294967295.

• Impact: Attackers could execute commands with root privileges even when explicitly restricted.

5. GTFOBins and SUID Exploitation

• The GTFOBins project documents how common binaries with SUID can be exploited.

• Example: Exploiting /bin/bash if it has the SUID bit:

    -rwsr-xr-x 1 root root 12345 Jan 20 20:25 /bin/bash
  

  Execute it to get a root shell:

    /bin/bash -p
  

Real-World Cases

1. Exploitation of passwd

• The passwd command allows users to change their passwords and has the SUID bit set. Historical vulnerabilities have allowed buffer overflow attacks to escalate privileges.

2. Vulnerable Backup Scripts

• Misconfigured backup scripts running as root often expose paths to attackers. If attackers can modify environment variables (e.g., PATH or LD_PRELOAD), they can execute arbitrary binaries during script execution.

3. Dirty COW (CVE-2016-5195)

• While not strictly an SUID issue, Dirty COW exploited a race condition in the copy-on-write mechanism. Combining this with writable files owned by root but writable by users allowed attackers to escalate privileges.

4. Exploitation via Development Tools

• A gcc or python binary with SUID permissions allows attackers to execute arbitrary commands with root privileges:

    -rwsr-xr-x 1 root root 12345 Jan 20 20:25 /usr/bin/gcc
    gcc -wrapper /bin/sh,-c /dev/null
  

Securing SUID Binaries

1. Restrict SUID Binaries:

   • Regularly audit SUID binaries:

       find / -perm -4000 2>/dev/null
     

2. Sanitize Inputs:

   • Ensure all inputs in SUID programs are validated.

3. Drop Privileges:

   • Programs should drop unnecessary privileges as soon as possible