Capabilities
Last updated
Last updated
Capabilities split the traditionally all-or-nothing root privileges into distinct units that can be independently enabled or disabled for processes.
Common Capabilities
Here are some common capabilities available in Linux:
Capability | Description |
---|---|
Viewing Capabilities
You can view the capabilities of a binary using the getcap
command. For example:
Setting Capabilities
To set capabilities on a binary, use the setcap
command. For example, to give a binary the capability to bind to low-numbered ports:
Removing Capabilities
To remove capabilities, use the setcap
command with a minus sign:
Checking Effective Capabilities
You can check the effective capabilities of a running process using the capsh
command:
Here’s a list of Linux capabilities that can be leveraged for privilege escalation (priv esc) if not used correctly. Misconfigurations or overly permissive settings can lead to security vulnerabilities:
CAP_CHOWN
Allows changing file ownership. If a binary with this capability is compromised, an attacker can take ownership of sensitive files.
CAP_DAC_OVERRIDE
Bypasses file read, write, and execute permission checks. This capability allows access to files that are normally restricted, potentially exposing sensitive data.
CAP_DAC_READ_SEARCH
Bypasses file read permission checks. This can be exploited to read files that should otherwise be inaccessible.
CAP_FOWNER
Bypasses permission checks on operations that normally require the file's owner. An attacker can manipulate files without being the owner, leading to unauthorized access.
CAP_NET_ADMIN
Grants the ability to perform network-related operations, such as modifying network interfaces and routing tables. Misuse can lead to network manipulation and privilege escalation.
CAP_NET_BIND_SERVICE
Allows binding to network ports below 1024. If a service running with this capability is vulnerable, it can allow an attacker to hijack the service.
CAP_SYS_ADMIN
This broad capability allows performing a variety of administrative tasks. Improper use can lead to severe privilege escalation, as it provides control over many system functions.
CAP_SYS_MODULE
Permits loading and unloading kernel modules. Exploiting this capability can allow attackers to load malicious modules into the kernel.
CAP_SYS_RAWIO
Grants access to raw I/O operations, which can be abused to perform arbitrary read/write operations on devices.
CAP_SYS_TIME
Allows modification of the system clock. Changing the system time can be used to manipulate logs and other time-sensitive data, hiding malicious activities.
If there is harmful capabilities set on a binary, we can use this capability to escalate privilege
For example, if CAP_SETUID
capability is set then this can be used as a backdoor to maintain privileged accss by manipulating its own process UID
Refer the og site https://gtfobins.github.io/#+capabilities for more.
CAP_CHOWN
Change file ownership.
CAP_DAC_OVERRIDE
Bypass file read, write, and execute permission checks.
CAP_DAC_READ_SEARCH
Bypass file read permission checks.
CAP_FOWNER
Bypass permission checks on operations that normally require the file's owner.
CAP_NET_ADMIN
Perform various network-related operations, such as configuring interfaces.
CAP_NET_BIND_SERVICE
Bind to network ports below 1024.
CAP_SYS_ADMIN
Perform a wide range of administrative tasks.
CAP_SYS_MODULE
Load and unload kernel modules.
CAP_SYS_RAWIO
Perform raw I/O operations.
CAP_SYS_TIME
Modify the system clock.