Potential Linux Privilege Escalation via Suspicious UID Change
This brief details a high-severity threat where attackers exploit Linux systems to achieve local privilege escalation by executing a non-root process from a user- or world-writable directory (e.g., /tmp, /dev/shm) that subsequently changes its effective user ID to root (UID 0), indicating a successful abuse of a vulnerable setuid binary or kernel flaw to gain full system control.
This threat involves a sophisticated local privilege escalation (LPE) technique on Linux systems. Attackers, after gaining an initial foothold as a non-privileged user, deploy a malicious executable or script into commonly user- or world-writable directories such as /tmp, /dev/shm, /var/tmp, or a user's home directory (/home/). This staged binary is then executed with the non-root user's permissions. The core of the attack lies in the binary's ability to exploit a vulnerability—often a misconfigured or vulnerable setuid binary, a kernel flaw, or similar privilege escalation vector—to force a change in its own effective user ID (UID) to 0 (root) during runtime. This suspicious UID change from a non-root user to root, originating from an untrusted path, is a strong indicator of a successful LPE attempt, granting the attacker full control over the compromised Linux host.
Attack Chain
- Attacker gains initial access and establishes a foothold on a Linux system as a non-root user.
- A malicious executable or script (e.g., an LPE exploit, a wrapper) is deployed by the attacker into a user- or world-writable directory such as
/tmp,/dev/shm, or/var/tmp. - The attacker executes this deployed binary or script using their currently compromised non-root user privileges.
- The executed binary leverages an existing local vulnerability, such as a flawed setuid binary, a kernel exploit, or a misconfiguration.
- As a result of the exploitation, the running process successfully changes its effective user ID (UID) to 0, granting it root privileges.
- The attacker now operates with full system control, enabling further actions like persistence establishment, data exfiltration, or lateral movement.
Impact
Successful exploitation of this privilege escalation technique grants attackers full root privileges on the compromised Linux system. This allows them to bypass security controls, install backdoors, modify system configurations (e.g., /etc/shadow, /etc/sudoers), create new privileged accounts, access sensitive data across the entire system, and potentially establish persistent access. The impact can range from data theft and system manipulation to the use of the compromised host as a staging ground for further attacks within the network. The observed pattern of execution from temporary or user-writable directories followed by UID change indicates a high likelihood of malicious intent and could precede significant damage.
Recommendation
- Deploy the
Potential Linux Privilege Escalation via Suspicious Setuid ExecutionSigma rule to your SIEM to detect this activity. - Ensure comprehensive endpoint logging for
process_creationevents on Linux systems, includingUser,ParentUser, andImagefields. - Review process ancestry and execution context for any alerts generated by the
Potential Linux Privilege Escalation via Suspicious Setuid Executionrule, specifically around UID transitions. - Isolate any Linux hosts showing activity matching the
Potential Linux Privilege Escalation via Suspicious Setuid Executionrule from the network to contain the threat. - Harden your Linux environment by regularly auditing and removing unnecessary setuid programs, and mounting writable directories like
/tmpand/dev/shmwithnosuidandnoexecflags where feasible.
Detection coverage 1
Potential Linux Privilege Escalation via Suspicious Setuid Execution
highDetects potential local privilege escalation on Linux where a process, now running as root, was spawned by a non-root parent from a user- or world-writable directory (e.g., /tmp, /dev/shm). This often indicates setuid binary abuse or a kernel exploit leading to an unauthorized UID change.
Detection queries are available on the platform. Get full rules →