Today I Learned: Binfmt_misc
6 months ago
- #Linux
- #Privilege Escalation
- #Security
- binfmt_misc is a Linux kernel feature that allows execution of non-native binary formats by registering custom handlers.
- It works by recognizing files via magic bytes or extensions and invoking specified interpreters, managed through the /proc/sys/fs/binfmt_misc filesystem.
- A security risk involves using binfmt_misc to create backdoors by hijacking SUID binaries, allowing privilege escalation without traditional SUID flags.
- Detection is challenging as it leaves minimal traces, focusing on monitoring /proc/sys/fs/binfmt_misc for new handlers is recommended.
- The technique is temporary unless persistence mechanisms are established, offering a detection opportunity during system reboots.