Uncommon setuid binaries

Question

Uncommon setuid binaries

0xsan-z opened this issue 4 years ago · comments

Hi diego,

Their seems to be a problem in "Uncommon setuid binaries" check if the uncommon suid binary names matches to that of in ${lse_common_setuid}
e.g.
┌──(kali㉿kali)-[/tmp]
└─$ cat test.sh
#!/bin/sh
setuidbin=sys
for cs in ping ping6;
do
setuidbin=printf "$setuidbin\n" | grep -Ev "$cs";
done;
printf "$setuidbin\n"

┌──(kali㉿kali)-[/tmp]
└─$ ./test.sh
sys <=========================== OK

= = = =
┌──(kali㉿kali)-[/tmp]
└─$ cat test.sh
#!/bin/sh
setuidbin=pingsys
for cs in ping ping6;
do
setuidbin=printf "$setuidbin\n" | grep -Ev "$cs";
done;
printf "$setuidbin\n"

┌──(kali㉿kali)-[/tmp]
└─$ ./test.sh
<=========================== NOT OK, was expecting pingsys

Was doing a room on THM where we have to do privesc using an uncommon suid binary named "pingsys" and to my surprise it was not picked up by lse in Uncommon setuid binaries.

Please have a look.

Diego Blanco · Answer 1 · Tue Sep 29 2020 20:44:38 GMT+0800 (China Standard Time)

Thanks a lot for reporting this @0xsan-z . Indeed that is a poor check. It should be fixed on version 2.8 that I've just released.