Linux Capabilities Exploitation
Exploiting misconfigured Linux capabilities to escalate privileges through fine-grained permission assignments.
Exploiting misconfigured Linux capabilities to escalate privileges through fine-grained permission assignments.
Continue your mission
Linux capabilities exploitation targets the fine-grained privilege system that divides traditional root powers into distinct units assignable to executables and processes. When capabilities are misconfigured, they create escalation paths that bypass standard permission controls without requiring full root access.
Linux capabilities split monolithic root privilege into over 40 distinct capabilities like CAP_NET_RAW, CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, and CAP_SETUID. Administrators assign capabilities to binaries using setcap, intending to grant specific privileges without full root. Attackers enumerate capabilities using getcap and look for exploitable assignments. CAP_SETUID on an interpreter allows direct UID change to root. CAP_DAC_OVERRIDE permits reading any file regardless of permissions. CAP_SYS_ADMIN is nearly equivalent to full root and enables mount namespace manipulation. Attackers chain capability abuse with other techniques, using CAP_SYS_PTRACE to inject code into privileged processes.
Capabilities were designed to improve security by reducing the need for SUID root binaries, but misconfigured capabilities create subtle privilege escalation paths harder to detect than traditional SUID abuse. Many container runtimes grant excessive capabilities by default, making this a critical attack surface in containerized environments.
CDA covers Linux capabilities within the VSD and SPH domains. Theater missions teach operators to audit capability assignments, identify dangerous configurations, and implement capability-based security correctly. Our approach treats capabilities as a defense tool that becomes an attack surface when misunderstood.
CDA Theater missions that address topics covered in this article.
Rogue access point detection identifies unauthorized wireless APs on the network using WIPS sensors, wired-side monitoring, and signal triangulation to prevent network bypass.
LLM security risks include data leakage, prompt injection, model supply chain attacks, and unauthorized tool execution, requiring organizations to treat AI models as high-privilege components.
Written by CDA Editorial
Found an issue? Help improve this article.