nerdexam
GIAC

GCIH · Question #486

How is exploiting a buffer overflow in a Linux SUID program owned by root different from exploiting other programs?

The correct answer is D. Attacker would be able to execute code to alter or delete system files. A SUID binary owned by root runs with root privileges regardless of who invokes it, so a successful buffer overflow exploit gains root-level access and can modify or delete protected system files.

Vulnerability Exploitation & Privilege Escalation

Question

How is exploiting a buffer overflow in a Linux SUID program owned by root different from exploiting other programs?

Options

  • AAttacker will be able to execute code with the permissions of the SYSTEM user
  • BThe exploit which the attacker executes does not need to be written in machine code
  • CThe exploit does not need to be written in machine code compatible with the processor
  • DAttacker would be able to execute code to alter or delete system files

How the community answered

(43 responses)
  • A
    12% (5)
  • B
    7% (3)
  • C
    2% (1)
  • D
    79% (34)

Why each option

A SUID binary owned by root runs with root privileges regardless of who invokes it, so a successful buffer overflow exploit gains root-level access and can modify or delete protected system files.

AAttacker will be able to execute code with the permissions of the SYSTEM user

The 'SYSTEM' account is a Windows concept; on Linux the privileged account is 'root' (UID 0), and 'SYSTEM' has no meaning in this context.

BThe exploit which the attacker executes does not need to be written in machine code

Buffer overflow exploits on Linux still require position-dependent or position-independent machine code (shellcode) to overwrite the return address and redirect execution; the exploit must be written in machine code.

CThe exploit does not need to be written in machine code compatible with the processor

Shellcode must be compatible with the target processor's instruction set architecture (e.g., x86-64 vs. ARM); the SUID bit does not change this requirement.

DAttacker would be able to execute code to alter or delete system filesCorrect

When the SUID bit is set on an executable owned by root, the Linux kernel runs that process with an effective UID of 0 (root). A buffer overflow that redirects execution to attacker-controlled shellcode therefore runs with full root privileges, allowing the attacker to read, alter, or delete any file on the system, including critical files like /etc/passwd or kernel modules.

Concept tested: Linux SUID privilege escalation via buffer overflow

Source: https://man7.org/linux/man-pages/man2/execve.2.html

Topics

#buffer overflow#SUID privilege escalation#Linux exploitation#arbitrary code execution

Community Discussion

No community discussion yet for this question.

Full GCIH Practice