There are many methods which have been used to gain root priviledges from a Unix SUID (Set User ID) script or program.

It is the task of the programmer of the SUID script or program to prevent the hacker from gaining root access.

Here are some methods which hackers utilize and which programmers should prevent:

  1. Changing IFS

If the program calls any other programs using the system() function call, the hacker may be able to fool it by changing IFS. IFS is the Internal Field Separator that the shell uses to delimit arguments.

If the program contains a line that looks like this:

system("/bin/date")

and the hacker changes IFS to ‘/’ the shell will then interpret the proceeding line as:

bin date

Now, if the hacker has a program of his own in the path called “bin” the suid program will run his program instead of /bin/date.

To change IFS, use one of these commands:

Bourne Shell IFS=’/’;export IFS
C Shell setenv IFS ‘/’
Korn Shell export IFS=’/’
  1. Linking the SUID script to -i

The hacker will create a symbolic link to the program named “-i”. The hacker will then execute “-i”, which will cause the interpreter shell (/bin/sh) to start up in interactive mode. This only works on suid shell scripts.

Example:

% ln suid.sh -i% -i#
  1. Exploiting a race condition

The hacker will attempt to replace a symbolic link to the program with another program while the kernel is loading /bin/sh.

Example:

nice -19 suidprog ; ln -s evilprog suidroot
  1. Sending bad input to the program.

The hacker will try to invoke the name of the program and a separate command on the same command line.

Example:

suidprog ; id

Note that these problems also occur with SGID (Set Group ID) scripts and programs.