Interview Bank
  • Interview Bank
  • Web
    • Persistent Connection and Non Persistent
    • CDN
    • Code Review
    • JWT
      • JWT vs Session Based Authentication
      • JWT Challenge
      • JWE
      • JWS
    • Content Security Policy (CSP)
    • Same-origin Policy (SOP)
    • Cross-Origin Resource Sharing (CORS)
      • Exploiting CORS
    • HTTP Strict Transport Security (HSTS)
    • SQL Injection (SQLi)
    • Password Encryption in Login APIs
    • API Security
      • API Principles
    • Simple bypass PHP
    • Server-side Template Injection (SSTI)
    • Javascript Object and Inheritance
    • HTTP/2
    • Cookie vs Local vs session Storage
    • XML External Entity (XXE)
    • What happened when enter domain name in browser
    • Prototype Pollution - Part 1
    • Prototype Pollution - Part 2
    • Nginx vs Apache
  • OT Security
    • Securing Operational Technology: Understanding OT Security
  • Quantum Computing
    • Quantum Computing: Unveiling the Cryptographic Paradigm Shift
    • Quantum Obfuscation: Shielding Code in the Quantum Era
  • DevSecOps
    • Continuous Integration/Continuous Deployment Pipeline Security
    • Chaos Engineering Overview
      • Security Chaos Engineering
    • Mysql VS redis
    • Kubernetes (k8s)
    • How MySQL executes query
    • REDIS
    • Difference between cache and buffer
  • Windows
    • Pentesting Active Directory - Active Directory 101
    • Pentesting Active Directory - Kerberos (Part 1)
    • Pentesting Active Directory - Kerberos (Part 2)
    • AD vs Kerberos vs LDAP
    • Active Directory Certificate Services Part 1
    • Unconstrained Delegation
    • AS-REP Roasting
    • NTLM Relay via SMB
    • LLMRN
    • Windows lateral movement
    • Constrained Delegation
    • Resource-Based Constrained Delegation
    • IFEO (lmage File Execution Options) Hijacking
  • UNIX
    • Setuid
  • Large Language Models (LLMs)
    • Tokens
    • LangChain
    • Integration and Security
  • Android
    • Keystore
  • Red team development
    • Secure C2 Infrastructure
    • P Invoke in c#
    • D Invoke
    • ExitProcess vs ExitThread
  • Blue Team
    • Indicators of Compromise
    • Methods to prevent Email domain spoofing
    • Windows Prefetching
  • CVE
    • XZ Outbreak CVE-2024-3094
    • Log4J Vulnerability (CVE-2021-44228)
    • SolarWinds Hack (CVE-2020-10148)
    • PHP CGI RCE (CVE-2024-4577)
    • Windows Recall
  • Software Architecture
    • Microservices
    • KVM
  • Docker
    • Overview
    • Daemon Socket
    • Tips to reduce docker size
  • Blockchain
    • Overview
    • Smart Contract
  • Business Acumen
    • Market Research Reports and Perception
    • Understanding Acquisitions
    • Cybersecurity as a Business Strategy
  • Cyber Teams
    • Introduction to Purple Teaming
  • Malware
    • Dynamic Sandbox Limitations
Powered by GitBook
On this page
  • What is setuid()?
  • How to find setuid binaries?
  • What's the harm of setuid permission?
  • So if I have setuid means I am (G)root?
  • Interview questions
  • References
  1. UNIX

Setuid

PreviousIFEO (lmage File Execution Options) HijackingNextTokens

Last updated 8 months ago

What is setuid()?

Setuid is a binary capability feature that can allow users to gain elevated privileges when using them.

setuid (short for "set user ID") is a special file permission in Unix-like operating systems that allows users to execute a file with the permissions of the file's owner rather than the permissions of the user who is running the file. This is particularly useful for programs that require elevated privileges to perform certain tasks.

For example, if a file owned by the root user has the setuid bit set, executing that file will give the process root privileges, even if the user running the file is not root.

How to find setuid binaries?

find / -perm -u=s -type f 2>/dev/null A command to find most setuid bits on a machine, some are more hidden, so more enumeration may be required.

What's the harm of setuid permission?

Lets use this bash code for example

/bin/chmod +s /bin/bash

Now we just gave /bin/bash a setuid, meaning it can be ran as the root, what does this mean? It means any shell spawned with this command, can potentially give you a privilege shell!

Of course this is fun to attackers as its a good way to gain root access to the machine, but for defenders, this is a nightmare to have, since a feature that was meant to help them automate mundane scripted tasks, could turn out to be more harmful to them instead.

So if I have setuid means I am (G)root?

Long story short, the answer is NO~!

Take this challenge in Vulnhub My-CMSMS machine for example

It has the contents of:

#!/bin/bash
echo "Usage: binary.sh COMMAND" 
echo `$1`

What the script does is that it will echo the command that is fed to it, potentially executing it.

The binary.sh file has a setuid bit, however, it does not run with root privileges when executed:

When we get the reverse shell, it is just the same user's shell being called back

This is all despite the file being root owned and given setuid

The use of setuid() system call is required to get the privileges, so if you are on a vulnerable system just having the setuid bit there does not automatically mean that the system runs with elevated privileges, the process must trigger this binary with the setuid() system call for it to work.

Interview questions

  • Explain the setuid bit and its primary use in Unix-like operating systems.

  • What is the difference between setuid and setgid? (You can google setgid)

  • Describe a real-world application or system where setuid is crucial. What role does it play in that application? (Example: automation business)

  • Think of how this application may be vulnerable to exploitation. How would you address such vulnerabilities?

  • Explain how an attacker might exploit a vulnerable setuid program. What steps can be taken to prevent such exploits?

References

  • https://www.vulnhub.com/entry/my-cmsms-1,498/

  • https://man7.org/linux/man-pages/man2/setuid.2.html

  • https://www.cbtnuggets.com/blog/technology/system-admin/linux-file-permissions-understanding-setuid-setgid-and-the-sticky-bit

Author: 🐱‍👤

Ninjarku
Getting shell through a setuid /bin/bash binary
File bianry.sh has setuid marked when searched
Execution of bianry.sh to call busybox shell back to our netcat listener
Reverse shell received with no change in privilege
Setuid permissions set with root as file owner