Prev Предыдущее сообщение   Следующее сообщение Next
Старый 04.01.2011, 14:51   #1
Регистрация: 11.07.2010
Сообщений: 954
Репутация: 352
Post Способы поднятия прав через CAPS.

Эта тема, наверняка, будет очень актуальной позже, когда все дистрибутивы начнут уходить от suid-бинарников к CAPABILITIES в ФС. Первой ласточкой должна быть Федора 14.

В списке представлены различные CAPS и по одному простому примеру, как можно поднять привилегии, имея их.
  • CAP_SYS_ADMIN: generic: among many other things (it's a sort of catch-all capability choice), CAP_SYS_ADMIN grants the ability to mount/unmount filesystems. So you have the ability to bind mount a new filesystem over an existing one to backdoor any binary on the system. There doesn't appear to be any DAC check for this operation, so the capability itself is sufficient. CAP_SYS_ADMIN also grants the ability to use the TIOCSTI ioctl against /dev/tty (a tty not owned by us) and inject commands into an administrator's shell that will be executed without any interaction on their part.
  • CAP_SYS_TTY_CONFIG: generic: temporarily change the keyboard mapping of an administrator's tty via the KDSETKEYCODE ioctl to cause a different command to be executed than intended (back in 2.4 this used to only be protected by suser() (essentially a uid == 0 check), except in grsecurity)
  • CAP_MKNOD: generic: allows the creation of a block device owned by the non-root user which is the same device as (for instance) the system disk (on grsecurity, the access to the block device would also require CAP_SYS_RAWIO). This allows for backdooring of any binary on the system.
  • CAP_SYS_PTRACE: generic: ptrace a process of any UID which has the capabilities you need, POKETEXT/SETREGS your way to control flow hijacking and the execution of your code under full capabilities.
  • CAP_SYS_RAWIO: generic: allows mapping of the NULL page for exploiting the huge number of NULL pointer dereferences in Linux. CAP_SYS_RAWIO also enables the use of the FIBMAP ioctl, which would potentially allow for exploitation of the kernel via the handling of input it doesn't expect from untrusted sources
  • CAP_SYS_MODULE: generic: allows to modify the kernel
  • CAP_SETFCAP: generic: can set full capabilities on a file, granting full capabilities upon exec
  • CAP_NET_BIND_SERVICE: generic: a trojaned sshd can be started on the same port as an existing sshd, except forced to the specific interface instead of on INADDR_ANY. This gives preference to the backdoor, allowing for stealing of the root password. Shutting it off after the password has been obtained will allow future connections to pass through to the real sshd with little suspicion.
  • CAP_KILL: situational: if sshd is run off a non-standard port > 1024, CAP_KILL can be used to target the existing sshd processes, then the non-root user can start a trojaned sshd in its place with the intent to grab the root password to obtain full privileges
  • CAP_FSETID: generic: can make any root-owned binary suid-root, granting full capabilities on exec
  • CAP_SETUID: generic: can set real uid to 0 and gain full capabilities on exec. Also can be used to ignore credential checks on unix domain sockets and feed crafted data over assumed-secure channels
  • CAP_DAC_OVERRIDE: generic: modify a suid root binary to execute your code with full capabilities
  • CAP_SETPCAP: generic: if the bounded set hasn't been lowered for the current process, any capability can be acquired in child processes through modification of the inheritable set. This capability allows bypass of the restriction that requires a capability to be in the permitted set for the current process to be inherited by child processes.
  • CAP_NET_ADMIN: generic: among other things, allows administration of the firewall, which can redirect packets destined for the system's normal sshd to a trojaned sshd on the same host or another host, allowing to grab the root password to obtain full privileges
  • CAP_IPC_OWNER: situational: compromise a privileged user of IPC by being able to exploit the assumption that its IPC is private
  • CAP_CHOWN: generic: /etc/shadow, /root/.ssh/* can be stolen or modified via ownership changes, allowing for full root
  • CAP_SYS_CHROOT: generic: From Julien Tinnes/Chris Evans: if you have write access to the same filesystem as a suid root binary, set up a chroot environment with a backdoored libc and then execute a hardlinked suid root binary within your chroot and gain full root privileges through your backdoor
  • CAP_DAC_READ_SEARCH: generic: /etc/shadow, /root/.ssh/* can be read, allowing for full root
  • CAP_SYS_BOOT: generic: from Eric Paris: load up a new kernel to boot with kexec_load
  • CAP_AUDIT_CONTROL: generic: from Jon Oberheide: AUDIT_TTY_GET/AUDIT_TTY_SET netlink commands to the audit subsystem allow for logging and retrival of tty i/o, allowing to obtain the root password
SynQ вне форума   Ответить с цитированием

capabilities, caps, linux, privilege escalation, root

Опции темы Поиск в этой теме
Поиск в этой теме:

Расширенный поиск
Опции просмотра

Ваши права в разделе
Вы не можете создавать новые темы
Вы не можете отвечать в темах
Вы не можете прикреплять вложения
Вы не можете редактировать свои сообщения

BB коды Вкл.
Смайлы Вкл.
[IMG] код Вкл.
HTML код Выкл.

Быстрый переход

Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd. Перевод: zCarot