How Capabilities actually Work ? | Exploitation | Privilege Escalation
SUID : The Traditional Linux Way
Sometimes a user with low privileges needs to perform specific tasks with higher privileges and for that Linux has functionality for setting SUID bit on particular binaries.
The SUID (Set User ID) bit is a special permission that can be set on executable files in the Linux operating system. This allows the non-privileged user to run the program with the permissions of the owner of the file.
For example, if a non-root user wants to execute a program with the SUID bit set of the root user, he/she will be given root permission throughout the execution of the program.
Why Capabilities?
SUID works fine but it has a high-security risk because it gives full permissions to the non-root user even though only certain actions were required to be executed with root privileges.
Attackers exploit the SUID bit to perform privilege escalation on the system.
That’s where Capabilities jump in, capabilities also allow the user to run certain executables with the privileges of the root user. but it is more secure, How? Capabilities don’t give full permissions rather it divides the privileges and permissions into smaller, more specific units or threads that can be selectively enabled or disabled.
Note: Capabilities grant privileges to processes rather than user.
Each capability corresponds to a specific permission or privilege, such as the ability to bind to a network port, the ability to change system time, or the ability to send signals to other processes.
Some Linux Capabilities and their functions are:-
CAP_DAC_OVERRIDE: The ability to override file permissions.
CAP_DAC_READ_SEARCH: The ability to read and search directories and files that
the process does not have permission to access.
CAP_KILL: The ability to send signals to other processes.
CAP_NET_BIND_SERVICE: The ability to bind to a network port below 1024.
CAP_SYS_BOOT: The ability to reboot the system.
CAP_CHOWN: The ability to change the owner and group of a file.Read more here..
Inside the Linux Kernel
Capabilities are stored as bitmask in a separate file in the /proc filesystem for each process, A bitmask is a data structure that represents a set of flags or options as individual bits in a single value. Each bit in the bitmask corresponds to a particular capability, and the value of the bit (either 0 or 1) indicates whether the capability is enabled or disabled.
They can be manipulated using the setcap command and the capsh command. When a process makes a system call that requires a particular capability, the kernel checks the process's capabilities to see if the necessary permission is granted. If the permission is not granted, the system call is denied and the process is given an error code.
- Permitted capabilities: These are the privileges that a process is allowed to have, regardless of whether it is currently executing with those privileges.
- Effective capabilities: These capabilities are checked by the Linux kernel to see if it’s effective or not. These are the privileges that a process is currently executing. A process can only exercise a privilege if it is both permitted and effective.
Example:
These two are like functions in programming, first compiler checks if a function exists or not, and if it does then it will execute that function. Here compiler is the Linux kernel, permitted capability is the declared function and effective capability is the defined function which is being executed. Hope that gives you a little idea of how it works.
The setcap command takes a capability name and a value as arguments, and it updates the corresponding bit in the process's bitmask accordingly.
setcap cap_chown=+ep myprogramThe above command sets the CAP_CHOWN bit in the myprogram process's bitmask to 1, indicating that the capability is enabled. Notice the + sign before the filename, in case if it’s minus(-) then it indicates that the capability is disabled.
The Hacker Mind: How it can be exploited?
In the target machine, we can see enabled capability using getcap command. When run as an unprivileged user, getcap -r / will generate a huge amount of errors, so it is good practice to redirect the error messages to /dev/null.
cap_setuid capability can be dangerous if it is not used carefully because it allows a process to change the effective user ID and group ID of the process which can lead to privilege escalation.
Command: getcap -r / 2>/dev/null
There is a python binary with cap_setuid+ep enabled, this allows a program to gain the setuid (set user ID upon execution) and effective (ep) privileges needed to execute with the permissions of the owner of the file, rather than the permissions of the user who executes it.
Bypass: /usr/bin/python2.6 -c ‘import os; os.setuid(0); os.system(“/bin/bash”)’
This can be easily taken advantage of by adding a piece of code and telling python to import OS and spawn a /bin/bash shell. Since it’s being executed by the privileges of the root user, it will spawn a shell with root privileges.
Check out more binaries that can be exploited with this capability set on them.
Thank you for Reading.
