Capabilities Abuse
Last updated
Last updated
Capabilities in Linux are special attributes that can be allocated to processes, binaries, services and users and they can allow them specific privileges that are normally reserved for root-level actions, such as being able to intercept network traffic or mount/unmount file systems. If misconfigured, these could allow an attacker to elevate their privileges to root.
The following capabilities are particularly dangerous and should be investigated further if found enabled on a system:
CAP_CHOWN
CAP_DAC_OVERRIDE
CAP_DAC_READ_SEARCH
CAP_SETUID
CAP_SETGID
CAP_NET_RAW
CAP_SYS_ADMIN
CAP_SYS_PTRACE
CAP_SYS_MODULE
CAP_FORMER
CAP_SETFCAP
The following command can be used to identify binaries that have capabilities allocated to them:
Whereas the following command can be used to check whether a running process has capabilities assigned:
Capabilities assigned to users are stored in the /etc/security/capability.conf configuration file:
Additionally, systemd offers directives for configuring capabilities on service units, through the “AmbientCapabilities” variable:
The easiest way to identify misconfigured capabilities is to use enumeration scripts such as LinPEAS:
Based on the output from the commands used above, the /usr/bin/python3.8 binary has the cap_setuid capabilities assigned, which allows to set the effective user ID of a process when running its binary i.e. executing binaries as root.
Aaccording to GTFOBins, it can be easily exploited with the following command, which simply executes /bin/sh with the SUID bit set:
Executing the command while logged in as a non-root user:
As shown above, this has allowed to escalate privileges to root, many different capabilities can be exploited to read/write to files, intercept network traffic, mount/unmount file systems and more, which can potentially lead to escalation of privileges.
Once the capabilities have been assigned, a great resource to find out if they can be vulnerable (if assigned to variables) is through , as for each applicable binary it has a handy “Capabilities” section which shows how certain capabilities can be exploited to elevate privileges. This page is also great. Alternatively, googling for the capability and the object it is assigned to normally does the trick.
