SUID Binary + PATH Hijacking
You find a SUID program (runs as root) badly written: it calls ls instead of /bin/ls.
Category: Linux · Privilege Escalation 🎯 Trench — You find a SUID program (runs as root) badly written: it callsls instead of /bin/ls. You create your own
malicious ls, manipulate PATH so the system finds it first,
and the SUID binary executes your code as root.
🔗 Kill chain — Prerequisite: low-priv shell + vulnerable SUID
binary. Next: root shell → persistence → exfiltration.
📡 Defensive footprint — auditd with rule on execve()
detects a legitimate SUID process spawning a child process from a
user-controlled directory (/tmp, /dev/shm).
⚠️ False friend — Forgetting chmod +x on your fake binary, or
using a shebang unavailable on the target system.
🛡️ Remediation — Recompile the SUID binary with absolute paths
(/bin/cat). If not possible, sanitize PATH at script start
(PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin).
← Back to the full glossary Last updated: 2026-06-11