In the intricate world of Linux, system administrators often encounter security exploits that capitalize on the Linux kernel’s vulnerabilities. One such vulnerability is the CAP_SYS_MODULE privilege. This blogpost will provide an in-depth exploration of this particular Linux capability and how it can be exploited.
Understanding Linux Capabilities
Linux capabilities are a set of privileges that can be assigned to processes to perform specific operations without granting full root access. The CAP_SYS_MODULE capability, in particular, allows functions to load and unload kernel modules, extending the functionality of the Linux kernel.
The Power of CAP_SYS_MODULE
The CAP_SYS_MODULE capability is a powerful and dangerous privilege. It allows a process to load and unload arbitrary kernel modules, essentially modifying the Linux kernel’s functionality. This privilege can lead to a trivial escalation of privileges and a full root compromise, subverting all system security, Linux Security Modules, and container systems.
How CAP_SYS_MODULE Can Be Abused?
The CAP_SYS_MODULE capability can be exploited for root access in a Linux system. Here’s how:
1) Kernel Module Injection
A process with the CAP_SYS_MODULE capability can inject a kernel module into the Linux kernel. This kernel module could contain malicious code – a rootkit or a bind shell – that, once loaded into the kernel, could give the attacker root access to the system.
2) Bypassing Security Measures
The CAP_SYS_MODULE capability can bypass security measures like container systems or Linux Security Modules. This is possible because a process with this capability can modify the kernel at will, thereby nullifying any security measures put in place.
Lab Experiment
Let’s walk through a lab experiment to better understand how the CAP_SYS_MODULE capability can be exploited. In this experiment, the kmod utility has the CAP_SYS_MODULE capability set. To check capabilities in a linux system, we can use the getcap command.
Command: getcap –r / 2>/dev/null
1) Preparing the Kernel Module
The first step is to prepare the malicious kernel module that will be injected into the Linux kernel. For this experiment, the module is a simple reverse shell that connects back to the attacker when loaded into the kernel. Change the IP address of the C code to the IP of your attacker machine.
For the reverse-shell in C language, refer to this site: https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-capabilities#cap_sys_module
2) Creating fake lib/modules/$(uname –r) directory
Modprobe command will default check for dependencies in the /lib/modules/$(uname –r) directory. Here uname –r command is used to get the kernel version of the operating system. Now, we need to create a fake directory by using the following command-
Command: mkdir lib/modules -p
Copy and paste the contents of /lib/modules/$(uname –r) to our fake directory. This can be done using the following command.
Command: cp -a /lib/modules/$(uname -r)/ lib/modules/$(uname -r)
3) Building the Kernel Module
After writing the malicious kernel module, the next step is to build it. This can be done using the make command, which compiles the module into reverse-shell.ko file that can be loaded into the kernel. But first, copy the contents of the Makefile from the same site and make sure you are using tab functionality instead of spaces after all and clean to avoid running into issues.
Now, run the make command to build the malicious kernel module.
4) Injecting the Kernel Module
Once the kernel module has been built, it can be injected into the kernel using the insmod tool. This tool uses the kmod command to perform the actual injection. But first, we need to listen for the reverse shell connection. This can be done using the following command.
Command: nc –nvlp 444
Now, we will run the insmod command to perform the injection.
Command: insmod reverse-shell.ko
Gaining Root Access
After the kernel module has been injected, it opens a reverse shell that connects back to the attacker. This gives the attacker a shell with root access, thereby completing the privilege escalation.
Mitigating CAPSYSMODULE Exploits
Preventing CAP_SYS_MODULE exploits involves taking steps to limit the processes that have this capability. Here are some measures that can be taken:
1) Limiting Capabilities
One approach is to limit the capabilities of processes, especially those that do not need the CAP_SYS_MODULE capability. This can be done by configuring the system to drop unnecessary capabilities.
2) Securing Kernel Modules
Another approach is to secure the kernel modules themselves. This can be done by signing the modules and configuring the kernel to only load signed modules.
3) Using Security Modules
Finally, using Linux Security Modules such as AppArmor or SELinux can provide an additional layer of protection. These modules can enforce access controls and limit processes’ operations.
The CAP_SYS_MODULE capability is a powerful privilege that can be exploited to gain root access in a Linux system. However, by understanding how this capability can be abused and taking steps to mitigate potential exploits, system administrators can secure their systems against such attacks.
Redfox Security is a diverse network of expert security consultants with a global mindset and a collaborative culture. If you are looking to improve your organization’s security posture, contact us today to discuss your security testing needs. Our team of security professionals can help you identify vulnerabilities and weaknesses in your systems, and provide recommendations to remediate them.
“Join us on our journey of growth and development by signing up for our comprehensive courses.“
