What is SUID?

SUID aka Set-user identification is a permission on UNIX systems that can allow user x to run a binary as user y. That way, the binary treats the user that invoked the process as the owner of it.

To find binaries in the system with SUID permission execute the following command

$find / -perm -u=s -type f 2>/dev/null

Introduction to SUID vulnerability

From reading last paragraph, you can start guessing where this can go wrong. Well, imagine the root user granted a binary that echoes 'Hello World' the SUID bit. Now a normal user can echo 'Hello World' in the terminal as root.

Let's try to imagine a more realistic approach to SUID binaries. User root assigns the SUID bit to the python binary so other users in the system can develop their programs without any problem.

It does look like there's nothing wrong with this, until a hacker gains access to the server and executes the following command.

/usr/bin/python3 -c 'import os; os.setuid(0);os.execl("/bin/bash)'

With this, the hacker has invoked the python binary as root to call a python function that spawns a shell after setting its user ID as 0 aka root, efectively gaining a shell as the root user.


GTFOBins is a webpage that contains information about how to abuse excessive perms in binaries. This type of vulnerability is really popular among beginner CTF challenges after gaining access to the server, so always try it before anything else.