SUID, which stands for Set User ID, is a special permission in Linux and Unix-like operating systems. When an executable file has the SUID permission set, it allows the user to execute the file with the privileges of the file's owner rather than the privileges of the user who is running the program. This is particularly useful for certain system programs that need elevated privileges to perform specific tasks.
The SUID permission is represented by the letter "s" in the user permission field of the file's permission bits. When the SUID bit is set, you will see an "s" instead of an "x" in the user permission field. For example:
If the SUID bit is set: -rwsr-xr-x
If the SUID bit is not set: -rwxr-xr-x
Common examples of programs that use the SUID permission include passwd and sudo. These programs need elevated privileges to perform tasks like changing the user password or running commands with superuser privileges.
It's important to note that the SUID mechanism should be used with caution, as it can introduce security risks. If a poorly designed program has the SUID bit set and contains vulnerabilities, it may be exploited to gain unauthorized access or perform malicious actions with elevated privileges. Therefore, system administrators should carefully review and audit programs with the SUID bit set to ensure they are secure and necessary for system functionality.
SUID exploitation is a serious security concern and is often associated with unauthorized activities and hacking. System administrators should follow best practices in securing their systems, including proper configuration, regular updates, and auditing of permissions to minimize the risk of SUID-related vulnerabilities.
Here's a basic overview of SUID exploitation:
Understanding SUID:
SUID is a special permission that can be set on an executable file. When a user runs a program with the SUID bit set, the program runs with the privileges of the file owner rather than the user who is executing the program.
Exploitation Scenario:
An attacker looks for a vulnerable program with the SUID bit set. This could be a system utility or custom program that has a security flaw.
Identifying Vulnerabilities:
The attacker identifies vulnerabilities in the program that can be exploited to execute arbitrary code or commands. These vulnerabilities could include buffer overflows, input validation issues, or other security weaknesses.
Execution of Malicious Code:
The attacker creates or injects malicious code into the vulnerable program. When the SUID program is executed, it runs with elevated privileges, allowing the attacker to perform actions they wouldn't normally be allowed to do.
Gaining Elevated Privileges:
By exploiting the SUID program, the attacker may gain elevated privileges, enabling them to access sensitive files, manipulate system configurations, or perform other malicious activities.
Mitigation:
To prevent SUID exploitation, it's crucial to carefully review and audit programs with the SUID bit set. Remove unnecessary SUID permissions, and ensure that programs are secure and well-designed to resist exploitation.
Regular System Audits:
System administrators should conduct regular audits to identify and address potential security risks. This includes monitoring for changes in SUID permissions and reviewing the security of programs with elevated privileges.
Suid Exploits (PoC)
CP Command
addusernew_user#create a new usergetentpasswdnew_user#check if new_user existssunew_user#switch to new_user accountcp/etc/passwd/var/www/html/#PERMISSION DENIED!
Infact, if I try to use: find / -perm -u=s -type f 2>/dev/null there's not cp path (or in alternative see permissions of ls -al command_path_name). If we want to assign SUID permission at cp command, we need to use chmod u+s (path of cp command):
