SETUID - Set User ID

May 31, 2022

setuid() changes the caller process's effective user ID. The real UID and stored set-user-ID are also set if the caller process is privileged. Setuid is a particular form of file permission in operating systems like Linux. It's a security feature that allows users to run certain applications with elevated rights. When an executable file's setuid permission is set, users may execute that program with a level of access that matches the user who owns the file. It is enabled by default in every Linux distribution. 

Find suid binaries with: 

find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
find / -uid 0 -perm -4000 -type f 2>/dev/null
Example: The passwd command is owned by the root and marked as setuid so the user is granted root access when using this command.

Viewing the setuid permission of a file:

ls -l /usr/bin/passwd
-rwsr-xr-x 1 root 54192 Nov 20 17:03 /usr/bin/passwd
Instead of x in user permission, there is an s bit.

Setting the setuid permission of a file

Use 'chmod u+s myfile' on an executable file to change the setuid permission for the user. If not used on an executable file instead of "s" it will be a capital "S" and it has no effect. However, if you then set it to executable with 'chmod u+x' it will be represented with the lowercase "s".

SETGID

Setgid is the equivalent of setuid for groups. If the bit is set, it grants permission to the group that owns the file. Use 'chmod g+s' instead of 'chmod u+s' to grant setuid permission. 
ls -la
-rw-r-sr-- 1 user mygroup 0 Mar 6 10:46 myfile2

Remove the bit

With 'chmod u-s' we can strip the setuid bit off the file permissions. Similarly 'chmod g-s' will remove the setgid bit.

Privilege Escalation using SUID Binaries

After finding SUID binaries with:
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
see GTFOBins for each binary to learn about privilege escalation methods.

NOPASSWD and SUDOERS

Sudo configuration might allow a user to execute some command with another user's privileges without knowing the password. A sudoers file inside /etc is the configuration file for sudo rights. Linux checks if a particular user is in the sudoers file or not.

If the user is not in the sudoers file, they can not run the command using sudo. The system administrator can give a nopasswd exception to a particular user so it can execute sudo commands without prompting the passport.
Check root permissions for any user to execute any file or command by executing sudo -l command
We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible
, , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)