Exploiting Linux Capabilities

good morning everyone uh my name is yamis and uh yeah today we're going to be talking about exploiting Linux kernel capabilities [Music] uh the overall agenda is uh we're gonna have an overview for lyrics capabilities we're gonna go through and get your understanding of why in a Target would be interested in um in them we're going to be looking into different ways to exploit them as well as some mitigation techniques [Music] a little bit about myself uh I'm working as a security engineer on behalf of control playing I spent a few years working as a devops engineer before getting into Cloud security I've got a master's degree in advanced security and digital forensics I'm offensive security certified and I've spent the last year of my life they get into container security and exploring all different suspects uh different aspects of container security [Music] a little bit how about control playing uh we are a UK based consultancy a cloud native security consultancy established back in 2017 we are actually a bunch of Engineers specializing in cloud kubernetes and containers we've got clients across government financial institutions regulator services at the moment we are like 50 plus people yeah and uh we're looking into expanding further if you're interested please feel free to apply moving on so yeah before we get into into the core of uh of this talk which is um about um exploiting learning capabilities I appreciate that some some people might ask what are Linux capabilities and uh what are what are they actually trying to achieve and why were they even created and uh it's important to take a step back and look into what was happening before they get introduced into the Linux kernel this happened before uh kernel 2.2 there were actually two types of of processes running within the Linux kernel they were either privileged running with a uad zero or unprivileged with a non-zero uids the distinction is that the privileged processes they were allowed to do pretty much anything there were no restrictions whatsoever on the other side the unprivileged processes they were not allowed to do anything they had all sorts of uh restrictions applied to them [Music] however from uh Linux kernel 2.2 onwards so there was uh some magic that was introduced into the Linux kernel and this is what Linux capabilities are uh there's a few of them actually it's not just the ones I've listed here the way I like to I'd like to think about the Linux capabilities is like um little magic tricks Maybe some pieces of wisdom maybe I don't know whatever and uh what they actually are is um the all the the privilege the processes um they got split into distinct units and uh whatever process might require we can just proceed in a sign the specific privilege privileges to a process so as an example let's say that a specific process need to change the ownership of the file or such specific uids or group IDs or change the do some stuff around the network within this within the server we can then assign the specific Linux capability and give the process the ability to fulfill its purpose and uh and proceed this is just a few of them actually if you want to have a look at the full list of Linux capabilities please go to this URL it's the Linux one page where and includes pretty much all the capabilities available [Music] so also we need to understand how we will be able to work with Linux capabilities uh as soon as we get onto a host uh the first action we would like to do like uh we should be able to identify any capabilities any system-wide capabilities there is a there are some built-in tools for working with capabilities within Linux one of them is copper Shades which is um actually a wrapper for interacting with uh capabilities on on the Linux host we can also identify capabilities associated with specific system binaries uh for this purpose we should be able to use GitHub which is another tool for interacting with Linux capabilities and as we can see here we've got this the python executable which is which has been assigned with the capsized admin capability [Music] another method for identifying capabilities Associated either with binaries or processes is by looking at the status file of the process itself in this specific instance uh we're looking at a process with a pid1 which is actually the core process of a container and there are different categories of capabilities described here the first one is inherited it is a capabilities that oh okay that the process inherits from something else and permissive effective I'm just gonna have to be a bit quicker so yeah from an attacker's point of view as soon as someone gets access to a container or a Linux host there are specific things that he he will be able to do or he would like to do actually he would start actually enumerating the uh sorry anybody in the house looking for Open Force owners access to foils anyway to exploit a an executables or services or maybe set up some reverse or buying cells and for containerized environments in particular he should be looking for ways to escape the container and one of the scariest things is that uh capabilities provide this uh all all these options to an attacker so yeah he could be he would be able to take advantage of them so it would only make sense to go through some demos uh I'm not gonna lie I was planning to do some light demos but uh due to lack of time most likely I'm going to be going through some recorded once or maybe one second let me just bring this here uh wait [Music] oh come on foreign let's have a look at that [Music] oh is this clear actually yeah [Music] it is [Music] foreign [Music] of what's going on here uh this is uh this is on time to abuse the capture capsys module capability uh which is a capability that uh allows an attacker to insert kernel modules modules into the host kernel what we do actually after identifying the IP of of the host that we would like to send the reverse show to and the port we we inject actually the the module into the Linux kernel and after executing uh uh after injecting the the module into the kernel this is how the the reversal gets triggered uh yeah let me just have a look at the maximum [Music] okay it looks like we are running out of time uh anyway uh I'm just gonna go through there's certainly loads of things that you can achieve with uh Linux capabilities and uh uh you can drop uh an odd file rules you can set your IDs you can elevate your privileges you can set up buying shells you can do all sorts of stuff and uh yeah I guess uh whoever sets these up they're gonna have to be particularly careful with whatever they're using [Music] so with regards to mitigating these issues security context for the win security conflicts are like uh let's call them firewalls for any containerized environments or kubernetes-based environments uh it would be nice to as a rule of thumb to drop everything by default and keep only their ones required uh it might be a bit tricky to identify which ones are required by its um pipeline executable process or whatever you're planning to run and uh there is an amazing Tool uh developed by Aqua security which is called Tracy uh which is based on evpf and uh yeah he came to also analyzing events and detecting any sort of suspicious Behavior but yeah actually it's out of the scope of this talk wrapping up uh just a couple of recommendations I would definitely advise anyone who wants to dive deeper into Linux capabilities and ways to exploit them to look into list Rice's book on container security there's a few examples included on top of that I would advise anyone to have a look at how can kubernetes this goes a bit further but there are some stuff in included related to Lynch capabilities as well however there are some stuff as well on Port security um anything related around security and kubernetes and this was actually written by our CEO of the control plane CEO our remote thing and uh thank you very much for attending it's actually my first talk so yeah Amazon live was a bit stressed any questions whatsoever yes here we go [Music] hello I just wanted to know uh have you had any success with implementing uh this uh particular exploit against modern Linux kernels or something sorry yeah so have you had any success with trying to implement this particular previous privileged escalation or exploit against uh modern uh Linux kernels yes uh to be honest um the particular use case and this is how I got into this uh actually was uh part of a workflow for securing techno Pipelines part of the requirements was to verify whether how secure are the Pipelines and whether they could actually be exploited we were ex we were able to exploit anything that was running within within these take on pipelines by using this way we were able to trigger uh reversials or even set up binds also maybe even inject stuff into host processes yeah it's uh have you got any particular use case that you wanna you were unable to implement it I got any specific example I'm just trying to think in any case yeah uh we've done this research quite recently and uh all these was applied against uh modern Linux kernels yeah look like they're kicking us out any other questions yeah time for one more I think I like um I was wondering when it comes to um sort of kubernetes and opposite and things like that quite often you'll find clients who have a Docker container that they know need some additional capabilities but they don't know which ones um and quite often they just have no choice but to turn everything on because the supplier of the container just hasn't told them what capabilities it needs if you've got any recommendations for how they can sort of investigate and find out what the minimum set is uh actually yeah I just quickly jumped through it uh I would definitely advise anyone using Tracy this is an example of how we we used it to identify capabilities during runtime as I said uh we were executing pipelines Within tecton and we had to quickly identify what capabilities are required and what's been used internally and uh sorry what this actually what this actually does uh it's actually keeping an eye for any new containers that are popping up and it's outputting the capabilities as you can see here it's tracing for capability related events and it's outputting anything that's that it's finding to Json trade.log and it's an ebpf based executable and that's why there are it has specific requirements like you're gonna have to run it as pre in previous mode you also have to map a few stuff within the container just to allow the abpf related modules to compile initially uh this is what we were using actually in this particular use case cool that's all I got time for I'm afraid thank you Janice thank you everyone um yeah thank you