What are Capabilities in Linux? How do they different from SUID?
Before Capabilities in Linux, there was only SUID and GUID bits to permit a non-root user to perform an action that only privileged users could. SUID bits allow a binary to be executed as the file owner, not the user which executes it. Same is true for GUID bits but for the group owner. SUID and GUID are easily exploited since it allows any user to perform any action that the file owner could (when misconfigured).
Capabilities are more secure because the restrictions are set on specific kernel calls, rather than??. All kernel calls are split and grouped by related functionality which can be assigned to a binary. Linux privilege escalation allows a more effective privilege control. However just like SUID and GUID bits, Capabilities are also vulnerable to misconfigurations. Capabilities can provide privileged escalation to the root user.
Now with Linux capabilities explained, let’s see how to exploit them for Linux privilege escalation.
How to exploit Capabilities for Privilege Escalation?
Unlike finding SUID or GUID bits which uses “find” command, Capabilities can only be found by the following command-
getcap -r / 2>/dev/null
Here,
- “getcap” is the main command that finds and outputs the capabilities.
- “-r / “ means to search recursively in the root directory, which means in the whole file system.
- “2>/dev/null” does not output any errors which mostly caused by inaccessible directories.
Here is a small Linux Capabilities list (out of many) that are most vulnerable to privilege escalations –
- cap_sys_admin – this capability provide almost complete access to the administrative privileges. You could add or modify system capabilities, mount or unmount file systems, modify kernel modules, set process priorities, and many more.
- cap_setuid and cap_setgid – these two Linux capabilities allow the modification of user or group IDs and can allow privilege escalation if poorly assigned.
- cap_chown – this capability allows modification of ownership of any file or directory.
- cap_dac_read_search – this capability allows to bypass discretionary access controls to read and search any file or directory.
- cap_dac_override – this capability allows to bypass discretionary access controls to override the file system permissions and access any files and directories.
Other than that, “+ep” is required along with the Linux capabilities set to be exploitable. “e” here means executable and “p” here means that SUID has been set on the binary. Together “+ep” indicates that a binary has both the executable permission and the SUID permission set. This allows the binary to be executed as a program and grants it the ability to run with elevated privileges.
GTFObins is a great resource for finding if an exploit is available for a binary set with capability. However, sometimes it may require improvisation –
For Linux Privilege Escalation example, command for vim exploit
- vim -c ‘:py import os; os.setuid(0); os.execl(“/bin/sh”, “sh”, “-c”, “reset; exec sh”)’
may not work unless “py” (python) is changed to “py3” (python3)
- vim -c ‘:py3 import os; os.setuid(0); os.execl(“/bin/sh”, “sh”, “-c”, “reset; exec sh”)’
Sometimes the exploit may not work altogether in which case additional research and troubleshooting would be required.
Karan
Cyber Security Intern
