GitHubLinkedInEmail

Capabilities Abuse

Intro

LogoLinux capabilities 101Linux Audit

Scenario

LogoPrivilege Escalation by abusing SYS_PTRACE Linux CapabilityMedium
LogoLinux CapabilitiesHackTricks
LogoExploiting Linux Capabilities – Part 1tbhaxor

Capabilities in Linux are special attributes that can be allocated to processes, binaries, services and users and they can allow them specific privileges that are normally reserved for root-level actions, such as being able to intercept network traffic or mount/unmount file systems. If misconfigured, these could allow an attacker to elevate their privileges to root.

Dangerous Capabilities

The following capabilities are particularly dangerous and should be investigated further if found enabled on a system:

  • CAP_CHOWN

  • CAP_DAC_OVERRIDE

  • CAP_DAC_READ_SEARCH

  • CAP_SETUID

  • CAP_SETGID

  • CAP_NET_RAW

  • CAP_SYS_ADMIN

  • CAP_SYS_PTRACE

  • CAP_SYS_MODULE

  • CAP_FORMER

  • CAP_SETFCAP

Find Binaries with Dangerous CAPs

The following command can be used to identify binaries that have capabilities allocated to them:

getcap -r / 2>/dev/null

Whereas the following command can be used to check whether a running process has capabilities assigned:

cat /proc/[process ID]/status | grep Cap

Capabilities assigned to users are stored in the /etc/security/capability.conf configuration file:

Additionally, systemd offers directives for configuring capabilities on service units, through the “AmbientCapabilities” variable:

LinPEAS

The easiest way to identify misconfigured capabilities is to use enumeration scripts such as LinPEAS:

Once the capabilities have been assigned, a great resource to find out if they can be vulnerable (if assigned to variables) is through GTFOBins, as for each applicable binary it has a handy “Capabilities” section which shows how certain capabilities can be exploited to elevate privileges. This HackTricks page is also great. Alternatively, googling for the capability and the object it is assigned to normally does the trick.

Exploiting CAPs

Based on the output from the commands used above, the /usr/bin/python3.8 binary has the cap_setuid capabilities assigned, which allows to set the effective user ID of a process when running its binary i.e. executing binaries as root.

Aaccording to GTFOBins, it can be easily exploited with the following command, which simply executes /bin/sh with the SUID bit set:

/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'

Executing the command while logged in as a non-root user:

As shown above, this has allowed to escalate privileges to root, many different capabilities can be exploited to read/write to files, intercept network traffic, mount/unmount file systems and more, which can potentially lead to escalation of privileges.

Useful Resources

LogoLinux Privilege Escalation - Capabilitieswixnic
LogoLinux Privilege Escalation Using CapabilitiesRangeForce
PreviousSudo AbuseNextEnvironment Variables

Last updated