Vulnarex | Elite Cybersecurity Learning Platform

#A SUID Binary You Forgot About Is a Root Shell Waiting to Happen#link

From Dirty Pipe (CVE-2022-0847), a kernel bug that allowed overwriting read-only files, to a sudo misconfiguration that lets a user run vim as root, Linux privilege escalation paths are abundant. This lesson walks through the most common techniques—SUID abuse, sudo bypass, kernel exploits, and capabilities manipulation—and teaches you to harden against them systematically.

SUID/SGID Abuse: The Classic Elevation Path

A file with SUID root executes with the owner's privileges. If a user can execute a SUID root binary that has a flaw (e.g., vim, less, find), they can drop into a root shell. The countermeasure: audit all SUID files (find / -perm -4000 -type f) and remove SUID from any non-essential binaries. For those that must remain (e.g., passwd), ensure they are hardened and not arbitrarily executable by non-root users.

Find SUID binaries and list details

root@vulnarex:~#find / -perm -4000 -type f -exec ls -l {} \; 2>/dev/null | awk '{print $NF, $1}'

A SUID find is a huge risk because find can execute commands. Remove its SUID bit: chmod u-s /usr/bin/find.

Sudo Misconfigurations: NOPASSWD and Wildcards

A sudo rule like 'user ALL=(root) NOPASSWD: /bin/cat /var/log/*' can be exploited by reading /etc/shadow. Rules with wildcards are particularly dangerous. Always prefer explicit command paths and avoid NOPASSWD for interactive users. Use 'sudo -l' to audit what users can execute. The answer should be minimal.

bash

# Check sudo privileges for the current user
sudo -l
# Output should be tightly scoped, e.g.:
# User may run the following commands on host:
#    (root) /usr/bin/systemctl restart nginx

info

💡 Use 'sudo -l' as part of your privilege audit. Any command that can spawn a shell (vi, less, awk) in the sudo list is a direct escalation path.

Escalation Technique	How It Works	Prevention
SUID binary abuse	Run binary that preserves root privileges	Remove SUID from non-essential; limit access
Sudo bypass (wildcards)	Use command to read unauthorized files	Explicit paths, no wildcards, no NOPASSWD
Dirty Pipe (kernel)	Overwrite read-only files via pipe	Patch kernel immediately (CVE-2022-0847)
Capability exploitation	CAP_SYS_ADMIN allows many root actions	Drop capabilities via systemd; use seccomp profiles

Kernel Exploits: Dirty Pipe and Friends

Kernel vulnerabilities like Dirty Pipe allow unprivileged users to overwrite arbitrary files. The only defense is rapid patching. But you can reduce the impact by ensuring that sensitive files are not accessible to the user, using SELinux/AppArmor, and applying kernel hardening parameters (e.g., kernel.kptr_restrict, kernel.dmesg_restrict). Live kernel patching (Ksplice, KernelCare) can apply fixes without rebooting.

▪Audit all SUID/SGID binaries and remove unnecessary ones.
▪Review sudo rules: eliminate wildcards, NOPASSWD, and commands that can spawn shells.
▪Apply kernel updates within 24 hours of release; use live patching if available.
▪Harden kernel parameters via sysctl: restrict dmesg, kptr, and ptrace scope.

STRICT SECURE AUDIT RULE

⚠️ Some automated scripts check for SUID binaries but don't check the content. A binary can be SUID but safely written. Understand what you're removing.

quiz BLOCK (★ 50 XP)

You find that /usr/bin/awk is SUID root. What is the best immediate action?

Select your proof vectors above

challenge BLOCK (★ 100 XP)

Privilege Escalation Audit Lab