Elevating Privileges: Capabilities

While SUID gives us the ability to let processes run with elevated privileges, its doesn't give us a huge amount of control.

Using SUID for these system level processes means that we would have to have Root as the owner, this can lead to a security issue as the process would have full superuser rights when it might only need to use a subset of the kernel level functionality.

Capabilities aim to address this problem, by breaking the system level kernel calls into groups of functionality (capabilities), and only assigning the Capabilities needed to a process.

Example

For Example, we need to run Nmap as root to get access to the low level networking stack for a Syn scan.

Therefore, we tend to run Nmap with sudo. This means that users we trust can run the command with the higher privileges needed.

However, what happens if we want a non-sudoer to run efficient nmap scans?

We could also make our nmap binary run with root permissions using SUID, as this would allow any user in inherit the root privs when running a scan.

However, this is a BadIdea(TM) as there are a lot of nmap functions that can be abused to gain a root shell on the system Nmap GTFO bins

As namp only requires access to the low level socket libraries, we could instead apply the various network level capabilities (CAP_NET_RAW, CAP_NET_ADMIN etc.) This would limit the parts of the kernel that nmap can use, and potentially solve our problem.

Discuss

I don't actually know if this is a good idea, but it was the first example I could come up with.

It looks like nmap supports this But there is a pretty stern warning too.

If you know of a exploit for namp and capabilities, let us know on the Aula feed.

Types of Capability

There are 30-40 different capabilities currently available, and these can change with the kernel. For a full list its worth checking the man page

Some of the more interesting capabilities are discussed below

• CAP_AUDIT_

  Allow us to modify kernel auditing and logging settings.

  For example with CAP_AUDIT_CONTROL we gain the ability to enable and disable kernel auditing for that process. (engage cloaking device...)

• CAP_CHOWN

  Allow the process to modify the owner / group of a file

• CAP_SETUID and CAP_SETGID

  Allow us to modify a processes User or Group ID This can be used in a similar way to setting the SUID bit

• CAP_FSETID

  Don't drop SUID permissions if a file gets modified.

• CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH

  Allow us to bypass checks on a files permissions. For example adding eXecue permissions to a file.

  The CAP_DAC_READ_SEARCH can allow us to bypass read permissions on files

• CAP_NET_*

  Capabilities that deal with networking.

  This includes CAP_NET_BIND_SERVICE that allows us to bind a socket to a system port (0-1024)

• CAP_SYS_*

  Capabilities that deal with System functionality, such as process management.

  This includes things like allowing a process to trace its functionality with CAP_SYS_PTRACE.

Capability Settings

Capabilities are set not only for an file, but for processes too. This means that the capabilities of one process can also effect the other.

Important

Setting capabilities on threads can be done, but it gets complex, (and I mean flow charts, set theory and other fun stuff complex) very quickly.

Given that we are discussing privesc, and that makes use of existing things, we will focus getting and setting on files.

If you are really interested in the processes this post and this post do a pretty good job.

File based capabilities have 3 different levels.

Permitted

Means that the any process created by this file will automatically get the files privileges

Inherited

Means that the capabilities for this file, and any calling process are combined to get the final capabilities.

This uses a logical AND for each individual capability.

For example, with the following capabilities

File	Calling Process	Granted
CAP_SETUID	CAP_SETUID	Yes
	CAP_CHOWN	-
CAP_NET_BIND	-	-

Effective

If this is set, the file inherits any capabilities set by the calling process.

Getting and Setting Capabilities

We can check the capabilities of a file using getcap

For example here we can see that the rlogin command has

• The CAP_NET_BIND capability (can connect to a socket)
• ep (Effective, Permitted), basically means that both sets of permissions are turned on. (So the binary will use its own, AND inherit anything from a calling process)

Tip

We can search for all files with capabilities using a recursive search

getcap -r / 2>/dev/null

We can also get the capabilities for a running process.

The getpcaps command will give us the details of a process or list of process. (TODO: I cant find anything running, Hopefully I remember to grab this in the demo)

$ getpcaps 20148
20148: =

Setting Capabilities

If we have the correct permissions we can also set a files capabilities with the setcap command.

For example to give less the CAP_SETUID capability, we want to set it as EP (effective, permitted)

dang@dang-laptop /tmp/capdemo$ sudo setcap cap_setuid+ep less

#And check the setting took effect.
dang@dang-laptop /tmp/capdemo$ getcap less
less cap_setuid=ep

Summary

While there are fewer chances for exploitation using capabilities, they could still give us a way of executing commands with elevated privileges. Its another thing we would want to audit and cross reference against vulnerability lists.

Further Reading

• Arch Wiki on capabilities
• List of Capabilities and Descriptions
• Interesting Corner case on Capabilities