System Administrators should make sure that no abusable or exploitable capabilities are assigned on their file system. System administrators rarely set/change capabilities. You’re still limited by the functionality of the executable in question.īesides, capabilities are rarely used in the wild. Keep in mind that the presence of a potentially exploitable capability does not guarantee privilege escalation. This obviously could be used in various ways to escalate privileges, including but not limited to, adding a root user to /etc/passwd or /etc/shadow, modifying cron jobs running by root, adding a public ssh key to /root/authorized_keys, or simply opening a root shell.
UBUNTU 14.04.2 PRIV ESCALATION FULL
Another very useful capability in a scenario like this would be cap_dac_override, which allows full read/write/execute access. This is simply an example of how capabilities can serve as a privilege escalation vector. Nxnjz:$1$sTfA$SnnNO9Cflvs4aq4ZCU/6J/:17764:0:99999:7:::Īfter cracking that password hash for root, which turns out to be ‘root1234’, we can login using su & Mitigation tar: Removing leading `/’ from member ls
UBUNTU 14.04.2 PRIV ESCALATION ARCHIVE
etc/shadow is usually only readable by cat /etc/shadowīut since tar has that capability, we can archive /etc/shadow, extract it from the archive and read. We could use this to read SSH keys, or /etc/shadow and get password hashes. This means it has read access to anything.
usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+epĪn unusual finding: tar has cap_dac_read_search capabilities. We can redirect errors to /dev/null to get a cleaner getcap -r / 2>/dev/null The output is usually filled with tens or hundreds of “Operation not supported” errors, making it hard to read. We would start by scanning the file system for files with capabilities using getcap -r / The -r flag tells getcap to search recursively, ‘ /‘ to indicate that we want to search the whole system. They usually belong to the libcap2-bin package on debian and debian-based distributions. Getcap and setcap are used to view and set capabilities, respectively. For more info about this subject, click here. If its not patched within 14 days, I will release the code to the public v. This allows for a more secure system in general. The vendor has been informed of the vulnerability. For example, if an executable needs to access (read) files that are only readable by root, it is possible to give that file this ‘permission’ without having it run with complete root privileges. In Linux, files may be given specific capabilities. I recently came across an interesting way of escalating privileges on a GNU/Linux system during a CTF challenge.
0 kommentar(er)
