Linux Capabilities
Capabilities
Normally the root user (or any ID with UID of 0) gets a special treatment when running processes. The kernel and applications are usually programmed to skip the restriction of some activities when seeing this user ID. In other words, this user is allowed to do (almost) anything.
Linux capabilities provide a subset of the available root privileges to a process. This effectively breaks up root privileges into smaller and distinctive units. Each of these units can then be independently be granted to processes. This way the full set of privileges is reduced and decreasing the risks of exploitation.
Why capabilities?
To better understand how Linux capabilities work, let’s have a look first at the problem it tries to solve.
Let’s assume we are running a process as a normal user. This means we are non-privileged. We can only access data that owned by us, our group, or which is marked for access by all users. At some point in time, our process needs a little bit more permissions to fulfill its duties, like opening a network socket. The problem is that normal users can not open a socket, as this requires root permissions.
List Capabilities
#You list all the capabilities with
capsh --printHere you can find some capabilities with short descriptions
Capabilities name
Description
CAP_AUDIT_CONTROL
Allow to enable/disable kernel auditing
CAP_AUDIT_WRITE
Helps to write records to kernel auditing log
CAP_BLOCK_SUSPEND
This feature can block system suspends
CAP_CHOWN
Allow user to make arbitrary change to files UIDs and GIDs (full filesystem access)
CAP_DAC_OVERRIDE
This helps to bypass file read, write and execute permission checks (full filesystem access)
CAP_DAC_READ_SEARCH
This only bypass file and directory read/execute permission checks
CAP_FOWNER
This enables to bypass permission checks on operations that normally require the filesystem UID of the process to match the UID of the file
CAP_KILL
Allow the sending of signals to processes belonging to others
CAP_SETGID
Allow changing of the GID
CAP_SETUID
Allow changing of the UID (set UID of root in you process)
CAP_SETPCAP
Helps to transferring and removal of current set to any PID
CAP_IPC_LOCK
This helps to lock memory
CAP_MAC_ADMIN
Allow MAC configuration or state changes
CAP_NET_RAW
Use RAW and PACKET sockets (sniff traffic)
CAP_NET_BIND_SERVICE
SERVICE Bind a socket to internet domain privileged ports
CAP_SYS_CHROOT
Ability to call chroot()
CAP_SYS_ADMIN
Mount/Unmount filesystems
CAP_SYS_PTRACE
Debug processes (inject shellcodes)
CAP_SYS_MODULE
Insert kernel modules
Capabilities Sets
Inherited capabilities
CapEff: The effective capability set represents all capabilities the process is using at the moment (this is the actual set of capabilities that the kernel uses for permission checks). For file capabilities the effective set is in fact a single bit indicating whether the capabilities of the permitted set will be moved to the effective set upon running a binary. This makes it possible for binaries that are not capability-aware to make use of file capabilities without issuing special system calls.
CapPrm: (Permitted) This is a superset of capabilities that the thread may add to either the thread permitted or thread inheritable sets. The thread can use the capset() system call to manage capabilities: It may drop any capability from any set, but only add capabilities to its thread effective and inherited sets that are in its thread permitted set. Consequently it cannot add any capability to its thread permitted set, unless it has the cap_setpcap capability in its thread effective set.
CapInh: Using the inherited set all capabilities that are allowed to be inherited from a parent process can be specified. This prevents a process from receiving any capabilities it does not need. This set is preserved across an execve and is usually set by a process receiving capabilities rather than by a process that’s handing out capabilities to its children.
CapBnd: With the bounding set it’s possible to restrict the capabilities a process may ever receive. Only capabilities that are present in the bounding set will be allowed in the inheritable and permitted sets.
CapAmb: The ambient capability set applies to all non-SUID binaries without file capabilities. It preserves capabilities when calling execve. However, not all capabilities in the ambient set may be preserved because they are being dropped in case they are not present in either the inheritable or permitted capability set. This set is preserved across execve calls.
For a detailed explanation of the difference between capabilities in threads and files and how are the capabilities passed to threads read the following pages:
Processes & Binaries Capabilities
Processes Capabilities
To see the capabilities for a particular process, use the status file in the /proc directory. As it provides more details, let’s limit it only to the information related to Linux capabilities. Note that for all running processes capability information is maintained per thread, for binaries in the file system it’s stored in extended attributes.
This command should return 5 lines on most systems.
CapInh = Inherited capabilities
CapPrm = Permitted capabilities
CapEff = Effective capabilities
CapBnd = Bounding set
CapAmb = Ambient capabilities set
These hexadecimal numbers don’t make sense. Using the capsh utility we can decode them into the capabilities name.
Lets check now the capabilities used by ping:
Although that works, there is another and easier way. To see the capabilities of a running process, simply use the getpcaps tool followed by its process ID (PID). You can also provide a list of process IDs.
Lets check here the capabilities of tcpdump after having giving the binary enough capabilities (cap_net_admin and cap_net_raw) to sniff the network (tcpdump is running in process 9562):
As you can see the given capabilities corresponds with the results of the 2 ways of getting the capabilities of a binary. The getpcaps tool uses the capget() system call to query the available capabilities for a particular thread. This system call only needs to provide the PID to obtain more information.
Binaries Capabilities
Binaries can have capabilities that can be used while executing. For example, it's very common to find ping binary with cap_net_raw capability:
You can search binaries with capabilities using:
Dropping capabilities with capsh
If we drop the CAP_NET_RAW capabilities for ping, then the ping utility should no longer work.
Besides the output of capsh itself, the tcpdump command itself should also raise an error.
/bin/bash: /usr/sbin/tcpdump: Operation not permitted
The error clearly shows that the ping command is not allowed to open an ICMP socket. Now we know for sure that this works as expected.
Remove Capabilities
You can remove capabilities of a binary with
User Capabilities
Apparently it's possible to assign capabilities also to users. This probably means that every process executed by the user will be able to use the users capabilities.
Base on on this, this and this a few files new to be configured to give a user certain capabilities but the one assigning the capabilities to each user will be /etc/security/capability.conf.
File example:
Environment Capabilities
Compiling the following program it's possible to spawn a bash shell inside an environment that provides capabilities.
Inside the bash executed by the compiled ambient binary it's possible to observe the new capabilities (a regular user won't have any capability in the "current" section).
Capability-aware/Capability-dumb binaries
The capability-aware binaries won't use the new capabilities given by the environment, however the capability dumb binaries will use them as they won't reject them. This makes capability-dumb binaries vulnerable inside a special environment that grant capabilities to binaries.
Service Capabilities
By default a service running as root will have assigned all the capabilities, and in some occasions this may be dangerous. Therefore, a service configuration file allows to specify the capabilities you want it to have, and the user that should execute the service to avoid running a service with unnecessary privileges:
Malicious Use
Capabilities are useful when you want to restrict your own processes after performing privileged operations (e.g. after setting up chroot and binding to a socket). However, they can be exploited by passing them malicious commands or arguments which are then run as root.
You can force capabilities upon programs using setcap, and query these using getcap:
The +ep means you’re adding the capability (“-” would remove it) as Effective and Permitted.
To identify programs in a system or folder with capabilities:
Exploitation example
In the following example the binary /usr/bin/python2.6 is found vulnerable to privesc:
Capabilities needed by tcpdump to allow any user to sniff packets:
The special case of "empty" capabilities
Note that one can assign empty capability sets to a program file, and thus it is possible to create a set-user-ID-root program that changes the effective and saved set-user-ID of the process that executes the program to 0, but confers no capabilities to that process. Or, simply put, if you have a binary that:
is not owned by root
has no
SUID/SGIDbits sethas empty capabilities set (e.g.:
getcap myelfreturnsmyelf =ep)
then that binary will run as root.
CAP_SYS_ADMIN
This means that you can mount/umount filesystems.
Example with binary
Using python you can mount a modified passwd file on top of the real passwd file:
And finally mount the modified passwd file on /etc/passwd:
And you will be able to su as root using password "password".
Example with environment (Docker breakout)
You can check the enabled capabilities inside the docker container using:
Inside the previous output you can see that the SYS_ADMIN capability is enabled.
Mount
This allows the docker container to mount the host disk and access it freely:
Full access
In the previous method we managed to access the docker host disk. In case you find that the host is running an ssh server, you could create a user inside the docker host disk and access it via SSH:
CAP_SYS_PTRACE
This means that you can escape the container by injecting a shellcode inside some process running inside the host.
Example with binary
Example with environment (Docker breakout)
You can check the enabled capabilities inside the docker container using:
List processes running in the host ps -eaf
Get the architecture
uname -mFind a shellcode for the architecture (https://www.exploit-db.com/exploits/41128)
Find a program to inject the shellcode into a process memory (https://github.com/0x00pf/0x00sec_code/blob/master/mem_inject/infect.c)
Modify the shellcode inside the program and compile it
gcc inject.c -o injectInject it and grab your shell:
./inject 299; nc 172.17.0.1 5600
CAP_SYS_MODULE
This means that you can insert/remove kernel modules in/from the kernel of the host machine.
Example with binary
In the following example the binary python has this capability.
By default, modprobe command checks for dependency list and map files in the directory /lib/modules/$(uname -r).
In order to abuse this, lets create a fake lib/modules folder:
Then compile the kernel module you can find 2 examples below and copy it to this folder:
Finally, execute the needed python code to load this kernel module:
Example 2 with binary
In the following example the binary kmod has this capability.
Which means that it's possible to use the command insmod to insert a kernel module. Follow the example below to get a reverse shell abusing this privilege.
Example with environment (Docker breakout)
You can check the enabled capabilities inside the docker container using:
Inside the previous output you can see that the SYS_MODULE capability is enabled.
Create the kernel module that is going to execute a reverse shell and the Makefile to compile it:
The blank char before each make word in the Makefile must be a tab, not spaces!
Execute make to compile it.
Finally, start nc inside a shell and load the module from another one and you will capture the shell in the nc process:
The code of this technique was copied from the laboratory of "Abusing SYS_MODULE Capability" from https://www.pentesteracademy.com/
CAP_DAC_READ_SEARCH
This means that you can bypass can bypass file read permission checks and directory read/execute permission checks.
Example with binary
The binary will be able to read any file. So, if a file like tar has this capability it will be able to read the shadow file:
Example with binary2
In this case lets suppose that python binary has this capability. In order to list root files you could do:
And in order to read a file you could do:
Example with **Environment (Docker breakout)
You can check the enabled capabilities inside the docker container using:
Inside the previous output you can see that the DAC_READ_SEARCH capability is enabled. As a result, the container can debug processes.
You can learn how the following exploiting works in https://medium.com/@fun_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3 but in resume CAP_DAC_READ_SEARCH not only allows us to traverse the file system without permission checks, but also explicitly removes any checks to open_by_handle_at(2) and could allow our process to sensitive files opened by other processes.
The original exploit that abuse this permissions to read files from the host can be found here: http://stealth.openwall.net/xSports/shocker.c, the following is a modified version that allows you to indicate the file you want to read as first argument and dump it in a file.
I exploit needs to find a pointer to something mounted on the host. The original exploit used the file /.dockerinit and this modified version uses /etc/hostname. If the exploit isn't working maybe you need to set a different file. To find a file that is mounted in the host just execute mount command:
The code of this technique was copied from the laboratory of "Abusing DAC_READ_SEARCH Capability" from https://www.pentesteracademy.com/
CAP_DAC_OVERRIDE
This mean that you can bypass write permission checks on any file, so you can write any file.
There are a lot of files you can overwrite to escalate privileges, you can get ideas from here.
Example with binary
In this example vim has this capability, so you can modify any file like passwd, sudoers or shadow:
Example with binary 2
In this example python binary will have this capability. You could use python to override any file:
Example with environment + CAP_DAC_READ_SEARCH (Docker breakout)
You can check the enabled capabilities inside the docker container using:
First of all read the previous section that abuses DAC_READ_SEARCH capability to read arbitrary files of the host and compile the exploit. Then, compile the following version of the shocker exploit that ill allow you to write arbitrary files inside the hosts filesystem:
In order to scape the docker container you could download the files /etc/shadow and /etc/passwd from the host, add to them a new user, and use shocker_write to overwrite them. Then, access via ssh.
The code of this technique was copied from the laboratory of "Abusing DAC_OVERRIDE Capability" from https://www.pentesteracademy.com
CAP_CHOWN
This means that it's possible to change the ownership of any file.
Example with binary
Lets suppose the python binary has this capability, you can change the owner of the shadow file, change root password, and escalate privileges:
CAP_FORMER
This means that it's possible to change the permission of any file.
Example with binary
If python has this capability you can modify the permissions of the shadow file, change root password, and escalate privileges:
CAP_SETUID
This means that it's possible to set the effective user id of the created process.
Example with binary
If python has this capability, you can very easily abuse it to escalate privileges to root:
Another way:
CAP_SETGID
This means that it's possible to set the effective group id of the created process.
There are a lot of files you can overwrite to escalate privileges, you can get ideas from here.
Example with binary
In this case you should look for interesting files that a group can read because you can impersonate any group:
Once you have find a file you can abuse (via reading or writing) to escalate privileges you can get a shell impersonating the interesting group with:
In this case the group shadow was impersonated so you can read the file /etc/shadow:
If docker is installed you could impersonate the docker group and abuse it to communicate with the docker socket and escalate privileges.
CAP_SETFCAP
This means that it's possible to set capabilities on files and processes
Example with binary
If python has this capability, you can very easily abuse it to escalate privileges to root:
Note that if you set a new capability to the binary with CAP_SETFCAP, you will lose this cap.
Once you have SETUID capability you can go to it's section to see how to escalate privileges.
CAP_KILL
This means that it's possible to kill any process. You cannot escalate privileges directly with this capability.
Example with binary
Lets suppose the python binary has this capability. If you could also modify some service or socket configuration (or any configuration file related to a service) file, you could backdoor it, and then kill the process related to that service and wait for the new configuration file to be executed with your backdoor.
CAP_NET_BIND_SERVICE
This means that it's possible to listen in any port (even in privileged ones). You cannot escalate privileges directly with this capability.
Example with binary
If python has this capability it will be able to listen on any port and even connect from it to any other port (some services require connections from specific privileges ports)
CAP_NET_RAW
This means that it's possible to sniff traffic. You cannot escalate privileges directly with this capability.
Example with binary
If the binary tcpdump has this capability you will be able to use it to capture network information.
Note that if the environment is giving this capability you could also use tcpdump to sniff traffic.
Example with binary 2
The following example is python2 code that can be useful to intercept traffic of the "lo" (localhost) interface. The code is from the lab "The Basics: CAP-NET_BIND + NET_RAW" from https://attackdefense.pentesteracademy.com/
CAP_NET_ADMIN + CAP_NET_RAW
This means that it's possible modify firewall rules. You cannot escalate privileges directly with this capability.
Example with binary
Lets suppose that the python binary has these capabilities.
CAP_LINUX_IMMUTABLE
This means that it's possible modify inode attributes. You cannot escalate privileges directly with this capability.
Example with binary
If you find that a file is immutable and python has this capability, you can remove the immutable attribute and make the file modifiable:
References
Most of these examples were taken from some labs of https://attackdefense.pentesteracademy.com/, so if you want to practice this privesc techniques I recommend these labs.
Other references:
Last updated