SUID/SGID Binary Exploitation

SUID/SGID Binary Exploitation

SUID (Set User ID) and SGID (Set Group ID) binaries execute with file owner privileges rather than invoking user privileges. When owned by root, these binaries provide potential escalation paths. Search for SUID binaries using find / -perm -4000 2>/dev/null. Compare findings against known exploitable binaries, but also investigate custom or unusual SUID programs.

GTFOBins database documents techniques for exploiting legitimate binaries when configured with SUID. Common examples include using find to execute commands, vim to edit protected files, or bash to spawn privileged shells. Understanding why these techniques work—binaries maintaining privileges while executing user-controlled operations—enables identifying similar patterns in unknown binaries.

Custom SUID binary analysis requires different approaches than exploiting known programs. Strings analysis reveals hardcoded values, file paths, or command execution. Running binaries with various inputs identifies command injection opportunities. Library loading vulnerabilities through LD_PRELOAD or manipulated PATH variables provide code execution. Reverse engineering with tools like radare2 or Ghidra reveals deeper vulnerabilities.

Relative path exploitation affects SUID binaries executing commands without absolute paths. If vulnerable binaries run commands like cat instead of /bin/cat, PATH manipulation enables command substitution. Create malicious executables named after expected commands, modify PATH to prioritize your directory, achieving code execution with elevated privileges. This simple technique frequently succeeds against custom administrative scripts.