This was a huge component of a 2020 DEFCON CTF qualifier challenge that only Samurai and PPP solved, where you had to get code execution or arbitrary file read out of as many setuid binaries as possible, after installing basically every cli Debian package and changing them to setuid.
There are some very interesting ways to load shared objects or read files with environment variables, and we even found ways to leverage common libraries like readline and gconv to pop apps that used them.
More recently at SpamAndFlags CTF there was a similar challenge, where an innocent looking shell script was to be exploited multiple times, each time by a different environment variable. There is a nice writeup at https://github.com/p4-team/ctf/tree/master/2020-05-10-spam-a...
Sounds very interesting, thanks for sharing. Do you have any more information or perhaps a URL to a write-up for this? Or do you remember the challenge name?
Because in the real world, you might have a vulnerability that lets you run one of those packages as root. The competition is to show how many of those you could exploit.
Of course some of them are trivial, you don't get any props for showing arbitrary file reading when you can run bash or perl as root. But exploiting readline that way is pretty interesting!
There are some very interesting ways to load shared objects or read files with environment variables, and we even found ways to leverage common libraries like readline and gconv to pop apps that used them.