Skip to main content

SUID Binary + PATH Hijacking

You find a SUID program (runs as root) badly written: it calls ls instead of /bin/ls.

Category: Linux · Privilege Escalation 🎯 Trench — You find a SUID program (runs as root) badly written: it calls ls instead of /bin/ls. You create your own malicious ls, manipulate PATH so the system finds it first, and the SUID binary executes your code as root. 🔗 Kill chain — Prerequisite: low-priv shell + vulnerable SUID binary. Next: root shell → persistence → exfiltration. 📡 Defensive footprintauditd with rule on execve() detects a legitimate SUID process spawning a child process from a user-controlled directory (/tmp, /dev/shm). ⚠️ False friend — Forgetting chmod +x on your fake binary, or using a shebang unavailable on the target system. 🛡️ Remediation — Recompile the SUID binary with absolute paths (/bin/cat). If not possible, sanitize PATH at script start (PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin).
Back to the full glossary Last updated: 2026-06-11