Inspects extended file capabilities with getcap.
Since Linux 2.6.24, setcap can attach fine-grained privilege bits to
executables, letting them perform the specific privileged actions they
require instead of running as root.
If a binary that’s writable or executable by non-privileged users is granted
excessive capabilities, attackers can exploit it for privilege escalation.
name: Linux.Sys.Getcap
author: Matt Green - @mgreen27
description: |
Inspects extended file capabilities with getcap.
Since Linux 2.6.24, setcap can attach fine-grained privilege bits to
executables, letting them perform the specific privileged actions they
require instead of running as root.
If a binary that’s writable or executable by non-privileged users is granted
excessive capabilities, attackers can exploit it for privilege escalation.
reference:
- https://dfir.ch/posts/linux_capabilities/
- https://man7.org/linux/man-pages/man7/capabilities.7.html
parameters:
- name: TargetPath
default: /
description: Target path for getcap. Default / will scan all. Globs also work - e.g /usr/bin/*
- name: CapRegex
default: .
description: "Regex for capability to search for: e.g cap_setuid=ep"
required_permissions:
- EXECVE
sources:
- precondition: |
SELECT OS
FROM info()
WHERE OS = 'linux'
query: |
LET results = SELECT Stdout
FROM execve(argv=["getcap", "-r", TargetPath], sep='\n')
WHERE Stdout =~ "cap"
LET caps = SELECT split(sep=' ', string=Stdout)[:-1][0] AS Binary,
split(sep=' ', string=Stdout)[-1] AS Capabilities
FROM results
WHERE Capabilities =~ CapRegex
SELECT *
FROM foreach(row=caps,
query={
SELECT OSPath,
Capabilities,
Mode.String AS ModeString,
Size,
Mtime,
Atime,
Ctime,
Btime
FROM stat(filename=Binary)
})