Capabilities

Capabilities split the traditionally all-or-nothing root privileges into distinct units that can be independently enabled or disabled for processes.

Common Capabilities

Here are some common capabilities available in Linux:

Capability

Description

CAP_CHOWN

Change file ownership.

CAP_DAC_OVERRIDE

Bypass file read, write, and execute permission checks.

CAP_DAC_READ_SEARCH

Bypass file read permission checks.

CAP_FOWNER

Bypass permission checks on operations that normally require the file's owner.

CAP_NET_ADMIN

Perform various network-related operations, such as configuring interfaces.

CAP_NET_BIND_SERVICE

Bind to network ports below 1024.

CAP_SYS_ADMIN

Perform a wide range of administrative tasks.

CAP_SYS_MODULE

Load and unload kernel modules.

CAP_SYS_RAWIO

Perform raw I/O operations.

CAP_SYS_TIME

Modify the system clock.

Linux Capabilities: Viewing and Checking

Viewing Capabilities

You can view the capabilities of a binary using the getcap command. For example:

getcap /path/to/binary

Setting Capabilities

To set capabilities on a binary, use the setcap command. For example, to give a binary the capability to bind to low-numbered ports:

sudo setcap 'cap_net_bind_service=+ep' /usr/bin/somebinary

Removing Capabilities

To remove capabilities, use the setcap command with a minus sign:

sudo setcap 'cap_net_bind_service=-ep' /usr/bin/somebinary

Checking Effective Capabilities

You can check the effective capabilities of a running process using the capsh command:

capsh --print

Linux Capabilities for Privilege Escalation

Here’s a list of Linux capabilities that can be leveraged for privilege escalation (priv esc) if not used correctly. Misconfigurations or overly permissive settings can lead to security vulnerabilities:

CAP_CHOWN
- Allows changing file ownership. If a binary with this capability is compromised, an attacker can take ownership of sensitive files.
CAP_DAC_OVERRIDE
- Bypasses file read, write, and execute permission checks. This capability allows access to files that are normally restricted, potentially exposing sensitive data.
CAP_DAC_READ_SEARCH
- Bypasses file read permission checks. This can be exploited to read files that should otherwise be inaccessible.
CAP_FOWNER
- Bypasses permission checks on operations that normally require the file's owner. An attacker can manipulate files without being the owner, leading to unauthorized access.
CAP_NET_ADMIN
- Grants the ability to perform network-related operations, such as modifying network interfaces and routing tables. Misuse can lead to network manipulation and privilege escalation.
CAP_NET_BIND_SERVICE
- Allows binding to network ports below 1024. If a service running with this capability is vulnerable, it can allow an attacker to hijack the service.
CAP_SYS_ADMIN
- This broad capability allows performing a variety of administrative tasks. Improper use can lead to severe privilege escalation, as it provides control over many system functions.
CAP_SYS_MODULE
- Permits loading and unloading kernel modules. Exploiting this capability can allow attackers to load malicious modules into the kernel.
CAP_SYS_RAWIO
- Grants access to raw I/O operations, which can be abused to perform arbitrary read/write operations on devices.
CAP_SYS_TIME
- Allows modification of the system clock. Changing the system time can be used to manipulate logs and other time-sensitive data, hiding malicious activities.

If there is harmful capabilities set on a binary, we can use this capability to escalate privilege For example, if CAP_SETUID capability is set then this can be used as a backdoor to maintain privileged accss by manipulating its own process UID

cp $(which python) .
sudo setcap cap_setuid+ep python

./python -c 'import os; os.setuid(0); os.system("/bin/sh")'

Refer the og site https://gtfobins.github.io/#+capabilities for more.

PreviousGathering Information of the System NextGroup Based

Last updated 2 months ago