Initial

kfiros · kfiros · commit 7c8d7ed2bae3 · 2015-10-12T02:32:05.000-07:00
diff --git a/Makefile b/Makefile
@@ -0,0 +1,11 @@
+# SUID-Locate Makefile
+
+# Compilation Parameters
+CC=gcc
+CFLAGS= -Iincludes -Wextra -Wall
+SOURCES= suid_locate.c
+
+all:
+	$(CC) $(SOURCES) $(CFLAGS) -o suid-locate
+clean:
+	rm -f suid-locate
diff --git a/README.md b/README.md
@@ -0,0 +1,5 @@
+# SUID-Locate
+
+Files with SUID/SGID can be very handy when properly used, however, it can expose your system to many security risks.
+SUID-Locate easily finds files with the SUID or SGID bit on in your linux system.
+
diff --git a/suid_locate.c b/suid_locate.c
@@ -0,0 +1,188 @@
+/*******************************************************************
+* Project:	SUID-Locate
+*		SUID-Locate searches for files with the SUID/SGID
+*		bit on.
+*
+* Author:	Kfiros (Kfir Shtober)
+* Year:		2015	
+*
+* File:		suid_locate.c
+* Description:	Easily finds files with the SUID or SGID bit on.
+*		Setuid/gid can be very handy when properly used,
+*		however, it can expose your system to many security
+*		risks.
+*******************************************************************/
+
+/*******************************************************************
+* Includes
+*******************************************************************/
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/user.h>
+#include <sys/stat.h>
+#include <dirent.h>
+#include "suid_locate.h"
+
+/*******************************************************************
+* Name: 	exclude_path
+* Description:	This function decides whether a specific path
+*		should be excluded.
+*******************************************************************/
+static bool exclude_path(const char * path) {
+	bool ret = false;
+
+	if (NULL == path) {
+		ret = true;
+		goto cleanup;
+	}
+
+	/* Avoid /proc directory */
+	if (0 == strncmp(path, PROC_DIR, PROC_DIR_LENGTH)) {
+		ret = true;
+		goto cleanup;
+	}
+
+cleanup:	
+	return ret;
+}
+
+/*******************************************************************
+* Name: 	check_suid
+* Description:	Tests for SUID/GUID bit turned on a given path.
+*******************************************************************/
+static int check_suid(const char * path, OUT bool * is_suid) {
+	int ret = SUCCESS;
+	int call_rv;
+	struct stat path_stat;
+		
+	/* Get file status */
+	call_rv = stat(path, &path_stat);
+	if (ERROR == call_rv) {
+		ret = ERROR;
+		goto cleanup;
+	}
+
+	/* Check if SUID/SGID bit is turned on */
+	if ((ISUID_ON(path_stat)) || (ISGID_ON(path_stat))) {
+		*is_suid = true;
+		goto cleanup;
+	} else {
+		*is_suid = false;
+	}
+cleanup:
+	return ret;
+}
+
+/*******************************************************************
+* Name: 	invalid_dir
+* Description:	Examines if a given directory name is invalid.
+*******************************************************************/
+static bool invalid_dir_name(const char * name) {
+	bool ret = false;
+	
+	if (NULL == name) {
+		ret = true;
+		goto cleanup;
+	}
+
+	if ((THIS_FOLDER_LENGTH == strlen(name)) && 
+				(0 == strncmp(name, THIS_FOLDER_STRING, THIS_FOLDER_LENGTH))) {
+		ret = true;
+		goto cleanup;
+	}
+
+	if ((UPPER_FOLDER_LENGTH == strlen(name)) &&
+				(0 == strncmp(name, UPPER_FOLDER_STRING, UPPER_FOLDER_LENGTH))) {
+		ret = true;
+		goto cleanup;
+	}
+
+cleanup:
+	return ret;
+}
+
+/*******************************************************************
+* Name: 	analyze_entry
+* Description:	This function analyzes a given direntry. In case it's a
+*		directory it lists it, and in case of file it checks
+*		it for suid/sgid.
+*******************************************************************/
+inline static void analyze_entry(const char * path, struct dirent * entry) {
+		int call_rv;
+		char full_entry_path[MAX_PATH_LENGTH];
+		bool is_suid = false;
+
+		if (DT_DIR == entry->d_type) { /* DIRECTORY */
+			if (true == invalid_dir_name(entry->d_name)) {
+				return;
+			}
+			/* Create updated full path */			
+			snprintf(full_entry_path, MAX_PATH_LENGTH, "%s/%s", path, entry->d_name);	
+
+			if (true == exclude_path(full_entry_path)) {
+				return;
+			}
+
+			/* Recursively walk over the directory contents */
+			scan_suid_by_dir(full_entry_path);
+
+		} else { /* FILE */
+			/* Create updated full path */			
+			snprintf(full_entry_path, MAX_PATH_LENGTH, "%s/%s", path, entry->d_name);	
+
+			/* Check for suid/sgid */
+			call_rv = check_suid(full_entry_path, &is_suid);
+			if (SUCCESS != call_rv) {
+				return;
+			} else if(true == is_suid){
+				fprintf(stdout, "[+] %s\n", full_entry_path + 1); /* + 1 to avoid the first slash */
+			}
+		}
+}
+
+/*******************************************************************
+* Name: 	scan_suid_by_dir
+* Description:	Recursively scans the given path for suid/sgid files.
+*******************************************************************/
+static void scan_suid_by_dir(const char * path) {
+	DIR * dir_stream;
+	struct dirent * entry;
+
+	dir_stream = opendir(path);
+	if (NULL == dir_stream) {
+		return;
+	}
+
+	entry = readdir(dir_stream);	
+	if (NULL == entry) {
+		goto cleanup;
+	}
+	
+	do {
+		analyze_entry(path, entry);
+
+	} while ((entry = readdir(dir_stream)));
+cleanup:
+	if (NULL != dir_stream) {
+		closedir(dir_stream);
+	}	
+}
+
+/*******************************************************************
+* Name: 	main
+* Description:	Main function of the program
+*******************************************************************/
+int main() {
+	fprintf(stdout, "[*] suid-locate (Kfiros 2015) \n");
+	fprintf(stdout, "[*] Searching for SUID/SGID files in your system... \n");
+
+	/* Start main logic */
+	scan_suid_by_dir(DIR_PATH);
+
+	fprintf(stdout, "[*] DONE \n");
+
+	return SUCCESS;
+}
+
diff --git a/suid_locate.h b/suid_locate.h
@@ -0,0 +1,54 @@
+/*******************************************************************
+* Project:	SUID-Locate
+*		SUID-Locate searches for files with the SUID/SGID
+*		bit on.
+*
+* Author:	Kfiros (Kfir Shtober)
+* Year:		2015	
+*
+* File:		suid_locate.c
+* Description:	Easily finds files with the SUID or SGID bit on.
+*		Setuid/gid can be very handy when properly used,
+*		however, it can expose your system to many security
+*		risks.
+*******************************************************************/
+
+#ifndef __SUID_LOCATE_H__
+#define __SUID_LOCATE_H__
+
+/*******************************************************************
+* Constants & Macros
+*******************************************************************/
+
+typedef enum {
+	false = 0,
+	true,
+} bool;
+
+#define SUCCESS (0)
+#define ERROR (-1)
+#define OUT
+
+#define DIR_PATH ("/")
+#define MAX_PATH_LENGTH (255)
+
+#define PROC_DIR ("//proc\0")
+#define PROC_DIR_LENGTH (5)
+
+#define ISUID_ON(stat) ((S_ISUID == (S_ISUID & stat.st_mode)) && (S_IXUSR == (S_IXUSR & stat.st_mode)))
+#define ISGID_ON(stat) ((S_ISGID == (S_ISGID & stat.st_mode)) && (S_IXGRP == (S_IXGRP & stat.st_mode)))
+
+
+/* '.' and '..' are two known invalid directories,
+*  we need to handle it properly */
+#define THIS_FOLDER_STRING (".")
+#define THIS_FOLDER_LENGTH (1)
+#define UPPER_FOLDER_STRING ("..")
+#define UPPER_FOLDER_LENGTH (2)
+
+/*******************************************************************
+* Prototypes 
+*******************************************************************/
+static void scan_suid_by_dir(const char * path);
+
+#endif /* __SUID_LOCATE_H__*/
