security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1166/T1166.md
T
CircleCI Atomic Red Team doc generator 159697cc2e Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-03 15:21:17 +00:00

3.0 KiB
Raw Blame History

T1166 - Setuid and Setgid

Description from ATT&CK

When the setuid or setgid bits are set on Linux or macOS for an application, this means that the application will run with the privileges of the owning user or group respectively (Citation: setuid man page). Normally an application is run in the current users context, regardless of which user or group owns the application. There are instances where programs need to be executed in an elevated context to function properly, but the user running them doesnt need the elevated privileges. Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an "s" instead of an "x" when viewing a file's attributes via ls -l. The chmod program can set these bits with via bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file].

An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setsuid or setgid bits to get code running in a different users context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future (Citation: OSX Keydnap malware).

Atomic Tests


Atomic Test #1 - Setuid and Setgid

Setuid and Setgid

Supported Platforms: macOS, CentOS, Ubuntu, Linux

Inputs

Name Description Type Default Value
payload hello.c payload path hello.c

Run it with these steps!

  1. make hello

  2. sudo chown root hello

  3. sudo chmod u+s hello

  4. ./hello



Atomic Test #2 - Set a SetUID flag on file

This test sets the SetUID flag on a file in Linux and macOS.

Supported Platforms: macOS, CentOS, Ubuntu, Linux

Inputs

Name Description Type Default Value
file_to_setuid Path of file to set SetUID flag path /tmp/evilBinary

Run it with sh!

sudo chown root #{file_to_setuid}
sudo chmod u+s #{file_to_setuid}


Atomic Test #3 - Set a SetGID flag on file

This test sets the SetGID flag on a file in Linux and macOS.

Supported Platforms: macOS, CentOS, Ubuntu, Linux

Inputs

Name Description Type Default Value
file_to_setuid Path of file to set SetGID flag path /tmp/evilBinary

Run it with sh!

sudo chown root #{file_to_setuid}
sudo chmod g+s #{file_to_setuid}

Reference in New Issue View Git Blame Copy Permalink