Setuid and Setgid

Information

• Name: Setuid and Setgid

• ID: T1548.001

• Tactics: TA0004, TA0005

• Technique: T1548

Introduction

Setuid and Setgid (T1548.001) is a sub-technique within the MITRE ATT&CK framework under the Privilege Escalation tactic. It involves exploiting Unix/Linux file permissions to elevate privileges. Specifically, attackers leverage binaries or scripts with the Set User ID (setuid) or Set Group ID (setgid) bit set, causing them to execute with privileges of the file owner or group rather than the user executing them. Attackers exploit improperly configured or vulnerable setuid/setgid binaries to escalate their privileges, enabling further compromise of systems and networks.

Deep Dive Into Technique

The Setuid (set user ID) and Setgid (set group ID) bits are special permission bits in Unix/Linux systems. They allow users to execute files with the permissions of the file's owner (setuid) or group (setgid), rather than their own permissions. These bits are commonly used legitimately to enable users to perform specific tasks requiring elevated privileges without giving them full administrative rights.

Attackers exploit setuid/setgid permissions through several mechanisms:

• Misconfigured binaries: Attackers search for binaries incorrectly configured with setuid/setgid permissions, allowing arbitrary execution of commands with elevated privileges. Common targets include binaries such as /usr/bin/find, /usr/bin/vim, /usr/bin/nmap, or custom scripts inadvertently left with these permissions.

• Vulnerable legitimate binaries: Legitimate binaries with setuid/setgid bits may contain vulnerabilities, such as buffer overflow or command injection flaws, enabling attackers to escalate privileges upon exploitation.

• Custom binaries/scripts: Attackers may upload malicious binaries or scripts and set the setuid/setgid bits if they initially have sufficient privileges, creating persistent backdoors with elevated privileges.

Real-world procedures attackers commonly perform include:

1. Scanning the system for setuid/setgid binaries:

   Copy

   find / -perm -4000 -type f 2>/dev/null
   find / -perm -2000 -type f 2>/dev/null

2. Exploiting known vulnerable binaries (e.g., "GTFOBins"):

   • Attackers reference publicly documented binaries that can be exploited to escalate privileges (e.g., vim, less, find, nano).

3. Creating malicious binaries or scripts and setting the setuid/setgid bits for persistent elevated access:

   Copy

   chmod u+s /tmp/malicious_binary
   chmod g+s /tmp/malicious_script

When this Technique is Usually Used

Attackers typically leverage the Setuid and Setgid technique in the following attack scenarios and stages:

• Privilege Escalation Stage: After gaining initial access to a Unix/Linux system through exploitation, phishing, or credential theft, attackers use setuid/setgid to escalate from standard user privileges to root or administrative privileges.

• Persistence Stage: Attackers establish persistent elevated access by setting setuid/setgid bits on malicious binaries or scripts, allowing repeated elevated execution without the need to exploit vulnerabilities repeatedly.

• Lateral Movement Stage: Attackers utilize elevated privileges gained through setuid/setgid exploitation to access other systems within the network, facilitating lateral movement.

• Defense Evasion Stage: Attackers may exploit setuid/setgid binaries to execute commands with elevated privileges, bypassing security controls, logging mechanisms, or access restrictions.

How this Technique is Usually Detected

Effective detection of Setuid and Setgid exploitation involves multiple methods and tools:

• Periodic File Permission Audits: Regularly scanning systems for binaries with setuid/setgid permissions:

  Copy

  find / -perm -4000 -type f -exec ls -l {} \; 2>/dev/null
  find / -perm -2000 -type f -exec ls -l {} \; 2>/dev/null

• Integrity Monitoring and File Auditing Tools:

  • Tripwire, OSSEC, AIDE, and similar tools can detect unauthorized changes to file permissions and alert administrators.

  • Auditd (Linux audit daemon) configured to log setuid/setgid executions:

    Copy

    auditctl -a always,exit -F perm=x -F auid>=1000 -F auid!=4294967295 -F euid=0 -k privileged-exec

    This rule detects executions of binaries with elevated privileges.

• Endpoint Detection and Response (EDR) Tools: Modern EDR solutions monitor suspicious execution patterns, privilege escalation attempts, and anomalous binary executions.

• SIEM and Centralized Logging: Centralized log analysis using SIEM solutions (Splunk, ELK Stack, QRadar) enables correlation of events indicative of setuid/setgid exploitation.

Indicators of Compromise (IoCs):

• Unusual binaries/scripts with setuid/setgid bits set, especially in temporary directories or user home directories.

• Execution logs showing unexpected privilege escalation events or execution of uncommon binaries.

• Recent changes to file permissions on sensitive or system-critical binaries.

Why it is Important to Detect This Technique

Early detection of Setuid and Setgid exploitation is critical due to several potential impacts:

• Privilege Escalation: Successful exploitation allows attackers to escalate privileges, gaining administrative/root access, enabling complete system compromise.

• Persistence and Backdoor Creation: Attackers can establish persistent elevated access, making remediation more difficult and increasing the potential damage.

• Data Exfiltration and System Compromise: Elevated privileges enable attackers to access sensitive data, install malware, modify system configurations, and disable security measures.

• Lateral Movement and Network-wide Compromise: Privilege escalation provides attackers with a foothold to move laterally, compromising additional systems within the network.

• Regulatory and Compliance Risks: Undetected privilege escalation can lead to regulatory violations, compliance failures, financial penalties, and reputational damage.

Thus, timely detection and mitigation of setuid/setgid privilege escalation attempts are crucial for maintaining system and network security.

Examples

Real-world examples demonstrating Setuid and Setgid exploitation:

• GTFOBins Exploitation:

  • Attackers frequently exploit binaries listed in GTFOBins (e.g., find, vim, less, nano) to escalate privileges.

  • Example exploitation of find binary:

    Copy

    find . -exec /bin/sh -p \; -quit

  • Impact: Immediate root shell, enabling full system compromise.

• Dirty COW (CVE-2016-5195):

  • Linux kernel vulnerability allowing attackers to overwrite setuid binaries, escalating privileges to root.

  • Widely exploited in real-world attacks due to ease of use.

  • Impact: Complete system compromise, data exfiltration, lateral movement.

• Misconfigured Custom Scripts:

  • Administrators inadvertently assigning setuid/setgid permissions to custom scripts, allowing attackers to exploit command injection vulnerabilities.

  • Attackers leverage these scripts to execute commands with elevated privileges.

  • Impact: Privilege escalation, persistent backdoor creation, lateral movement.

• Equifax Data Breach (2017):

  • Attackers exploited vulnerabilities leading to unauthorized privilege escalation, including setuid/setgid exploitation.

  • Resulted in sensitive data exfiltration, impacting millions of individuals.

  • Impact: Massive data breach, financial penalties, reputational damage.

These examples illustrate the critical risks associated with Setuid and Setgid exploitation and emphasize the importance of proactive detection and mitigation.