10.Capabilities

Find binaries with capabilities

find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \;

Set cap_net_bind_service capability (Allows binding to privileged ports)

sudo setcap cap_net_bind_service=+ep /usr/bin/my_program

Clear capabilities

sudo setcap -r /usr/bin/my_program

List capabilities of a specific file

getcap /usr/bin/my_program

Using cap_dac_override to read a normally restricted file (Dangerous, be very careful)

/usr/bin/vim.basic /etc/shadow

Using cap_dac_override to overwrite a file

echo "evil code" > /tmp/evil.sh
chmod +x /tmp/evil.sh
echo -e ':%s/original content/malicious content/\nwq!' | /usr/bin/vim.basic -es /path/to/important/file # Very dangerous

Overwriting an SUID binary

cp /bin/bash /tmp/suid_bash
chmod u+s /tmp/suid_bash
echo -e ':%s/original content/malicious content/\nwq!' | /usr/bin/vim.basic -es /tmp/suid_bash # Very dangerous

Using cap_setuid to change user ID (Requires compiled C program)

Save the following code as setuid.c:

#include <unistd.h>
#include <sys/capability.h>
#include <stdio.h>

int main() {
    cap_value_t cap_list[1];
    cap_list[0] = CAP_SETUID;
    cap_t caps = cap_get_proc();
    cap_set_flag(caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET);
    cap_set_proc(caps);
    cap_free(caps);
    setuid(0); // Set UID to root
    execl("/bin/sh", "/bin/sh", NULL);
    return 0;
}

Compile and run:

gcc setuid.c -o setuid -lcap
sudo setcap cap_setuid+ep ./setuid
./setuid

Using cap_sys_admin to mount a file system

mkdir /tmp/mnt
dd if=/dev/zero of=/tmp/loopback.img bs=1M count=10
mkfs.ext4 /tmp/loopback.img
sudo setcap cap_sys_admin+ep /bin/mount
mount /tmp/loopback.img /tmp/mnt -o loop
sudo setcap cap_sys_admin+ep /bin/umount
umount /tmp/mnt

Using auditd to log capability usage

Install and configure auditd:

sudo apt install auditd # or yum install auditd, etc.
sudo systemctl enable auditd
sudo systemctl start auditd
sudo auditctl -a always,exit -F arch=b64 -S capset,setcap,getcap -k capabilities

View logs:

sudo ausearch -k capabilities -ts recent

Checking bounding sets

cat /proc/self/status | grep CapBnd

Checking effective, permitted, and inheritable sets

cat /proc/self/status | grep Cap

Checking the capabilities of a running process

sudo cat /proc/$(pidof processname)/status | grep Cap

Key Concepts:

• Fine-grained Privileges: Capabilities allow for more specific control over permissions than the traditional user/group model.

• Reduced Attack Surface: By granting only necessary capabilities, you limit the potential damage from compromised processes.

• Vulnerabilities:

  • Over-privileging: Giving processes more capabilities than they need.

  • Inadequate Sandboxing: Allowing capable processes to interact with untrusted data or processes.

  • Misconfiguration: Incorrectly setting or understanding capability values.

• setcap Command: Used to assign capabilities to executables.

• Capability Values:

  • = (clear capabilities)

  • +ep (effective and permitted)

  • +ei (effective and inheritable)

  • +p (permitted)

• Dangerous Capabilities:

  • cap_sys_admin: Broad administrative privileges.

  • cap_setuid: Change user ID.

  • cap_setgid: Change group ID.

  • cap_dac_override: Bypass file permission checks.

• Enumeration: find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \;

• Exploitation Example: Using cap_dac_override to modify /etc/passwd and gain root access.

Important Considerations and Enhancements:

• Security Best Practices:

  • Principle of Least Privilege: Grant only the necessary capabilities.

  • Regular Audits: Review capability assignments to ensure they are still appropriate.

  • Strong Sandboxing: Isolate capable processes as much as possible.

  • Use of tools like auditd to log capability usage.

• Capability Sets: Understand the difference between permitted, effective, inheritable, and bounding capability sets.

• Bounding Set: The bounding set limits the capabilities that a process can acquire, even if they are permitted. This is a crucial security feature.

• File Capabilities vs. Thread Capabilities: Understand how capabilities are applied to files and threads.

• Namespaces: Combine capabilities with namespaces (e.g., user namespaces) for even stronger isolation.

• Modern Distributions: Modern Linux distributions often have enhanced security features that mitigate some capability-related risks, but careful configuration is still essential.

• Real World Exploits: Research real world exploits that utilize linux capabilities. This will enhance your understanding of how they can be used maliciously.

• Alternative to modifying /etc/passwd: While the example given works, it is very dangerous, and easily detectable. There are many other ways of exploiting cap_dac_override that are less detectable. For example, overwriting a SUID binary.

• Capabilities and containers: Capabilities are used extensively in containerization technologies like Docker and Kubernetes. Understanding them is vital for container security.