setuid() changes the caller process's effective user ID. The real UID and
stored set-user-ID are also set if the caller process is
privileged. Setuid is a particular form of file permission in operating
systems like Linux. It's a security feature that allows users to run certain
applications with elevated rights. When an executable file's setuid
permission is set, users may execute that program with a level of access that
matches the user who owns the file. It is enabled by default in every Linux
distribution.
Find suid binaries with:
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
find / -uid 0 -perm -4000 -type f 2>/dev/null
Example: The passwd command is owned by the root and marked as setuid
so the user is granted root access when using this command.
Viewing the setuid permission of a file:
ls -l /usr/bin/passwd -rwsr-xr-x 1 root 54192 Nov 20 17:03 /usr/bin/passwd
Instead of x in user permission, there is an s bit.
Setting the setuid permission of a file
Use 'chmod u+s myfile' on an executable file to change the setuid
permission for the user. If not used on an executable file instead of
"s" it will be a capital "S" and it has no effect. However,
if you then set it to executable with 'chmod u+x' it will be
represented with the lowercase "s".
SETGID
Setgid is the equivalent of setuid for groups. If the bit is set, it
grants permission to the group that owns the file. Use
'chmod g+s' instead of 'chmod u+s' to grant setuid permission.
ls -la -rw-r-sr-- 1 user mygroup 0 Mar 6 10:46 myfile2
Remove the bit
With 'chmod u-s' we can strip the setuid bit off the file
permissions. Similarly 'chmod g-s' will remove the setgid bit.
Privilege Escalation using SUID Binaries
After finding SUID binaries with:
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
see GTFOBins for
each binary to learn about privilege escalation methods.
NOPASSWD and SUDOERS
Sudo configuration might allow a user to execute some command with another
user's privileges without knowing the password. A sudoers file inside /etc
is the configuration file for sudo rights. Linux checks if a particular user
is in the sudoers file or not.
If the user is not in the sudoers file, they can not run the command using
sudo. The system administrator can give a nopasswd exception to a particular
user so it can execute sudo commands without prompting the passport.
We hope this helps. If any suggestions or doubts you can add a comment and we
will reply as soon as possible
No comments:
Post a Comment