SUID Privileges

Por /

What are SUID privileges?

A SUID (Set User ID) privilege is a special permission that can be set on a binary file on Unix/Linux systems. This permission gives the user executing the file the same privileges as the file’s owner.

For example, if a binary file has SUID permission set and is owned by the root user, any user who executes it will temporarily acquire the same privileges as the root user, allowing them to perform actions they normally could not as a normal user.

SUID privilege abuse is a technique used by attackers to elevate their access level on a compromised system. If an attacker is able to gain access to a binary file with SUID permissions, they can execute commands with special privileges and perform malicious actions on the system.

There are two main types of user accounts in the Linux operating system:

Root account: Superuser, which has the highest privileges and has unlimited access and control of the system.

User Account: Normal users who have limited privileges that can be defined by the root user.

When a shell is obtained, it is most likely from a user or service with limited privileges. To gain full control of the system or access any file, root privileges are required. The root user’s shell can be obtained through privilege escalation using SUID and GUID.

How to Detect SUID and GUID for Privilege Escalation:

SUID: The “s” in the fourth character specifies that the SUID bit is set. This binary will run as the root user, which is the user that owns the binary.

GUID: The “s” in the seventh character specifies that the GUID bit is set. This binary will run as the root group, which is the group that owns the binary.

How to Find Binaries with SUID and GUID Set?

We can run the following command to find all SUID binaries.

find / -perm -4000 -type f -ls 2>/dev/null

Here, we are using the find command to search for any file (“-type f”) with the SUID bit set (“-perm -4000”) in the root directory (“/”) and discarding all errors caused by inaccessible directories towards /dev/null. “-ls” will display the results in a list format with the permissions shown.

Similarly for GUIDs, you should use

-perm -2000.

How to Exploit SUID Binaries for Privilege Escalation?

There are certain binaries that will have the SUID bit set on all Linux systems, such as su, sudo, passwd, and gpasswd. These are system binaries and are almost certainly safe. A vulnerability is more likely to be found in non-system binaries.

The exact method of exploitation varies between different binaries. Checking GTFObins for any exploit methods is a good start.

Some Practical Exploitation Examples

Privilege Escalation Using SUID Binaries (with Python) –
If Python has the SUID bit set, the following command can be used to spawn a root shell.

python -c ‘import os; os.execl("/bin/sh", "sh", "-p")’

As another example, imagine the pexec command has SUID permissions. Simply by running

./pexec /bin/bash -p

we could transfer a bash command with root privileges.

Privilege Escalation Using Known Exploits (with exim) –
After a quick search, an exploit for CVE-2016-1531 can be found. It allows privilege escalation in exim-4.84-3. Using the exploit results in privilege escalation.

You might also be interested in nmap

Leave a Comment

Your email address will not be published. Required fields are marked *

Copyright © 2025 JPRHACK | Contact

Some content on this blog is inspired by challenges from platforms like Hack The Box. All explanations are written originally for educational and personal learning purposes.

Scroll to Top