Skip to content

Info

ID: AT-DC004.001
Technique: Exploitation for Privilege Escalation
Tactic: Deepening Control
Platforms: Linux
Data Sources: Container Logs, Process Monitoring, Configuration Monitoring
Permissions Required: User-level access to container configuration files
Effective Permissions: Root-level access on host system
Version: 1.0

Capabilities Abuse

Capabilities Abuse is a privilege escalation sub-technique where attackers exploit improperly configured capability settings in Unix-like systems to elevate privileges beyond intended boundaries. During the Deepening Control phase, after initial access has been established, attackers seek to leverage the fine-grained permissions provided by Linux capabilities (controlled via the cap_set_proc, cap_get_proc functions and managed by setcap/getcap tools) to perform operations that would typically require root access. These capabilities, which fragment the omnipotent root privilege into discrete permissions (such as CAP_NET_ADMIN for network configuration changes, CAP_SYS_ADMIN for system administration tasks, or CAP_DAC_OVERRIDE for bypassing file permission checks), can be abused when inappropriately assigned to executables, processes, or containers. A common attack vector involves exploiting binaries with the CAP_SETUID capability to spawn privileged shells, or leveraging CAP_DAC_READ_SEARCH to access sensitive system files despite lacking standard file permissions. Unlike traditional privilege escalation that requires full root access, capabilities abuse allows attackers to gain specific elevated powers that may suffice for their malicious objectives while potentially evading detection methods focused solely on complete privilege elevation.

Detection

Examples in the Wild

Notable Capabilities Abuse Attacks:

ShadowRay Attack The ShadowRay attack exploited misconfigured capabilities in Ray's distributed training infrastructure. Attackers leveraged CAP_DAC_READ_SEARCH capabilities granted to training processes to access model weights and training data across nodes, demonstrating how capabilities abuse can enable intellectual property theft in AI infrastructure.

ShellTorch (CVE-2023-43654) The ShellTorch attack included capabilities abuse components in its attack chain. Attackers exploited overly permissive capabilities granted to TorchServe processes to access sensitive model files and system resources, enabling both model theft and remote code execution.

Ultralytics Model Registry Compromise The Ultralytics attack leveraged capabilities abuse to escalate privileges within the model registry infrastructure. Attackers exploited CAP_SYS_ADMIN capabilities to manipulate model artifacts and inject malicious code into the YOLOv8 ecosystem.

Attack Mechanism

Common Capabilities Abuse Techniques:

  1. Training Process Exploitation

    # ShadowRay-style capability abuse
    def exploit_training_process():
        # Abuse CAP_DAC_READ_SEARCH
        training_pid = find_training_process()
        capabilities = get_process_capabilities(training_pid)
    
        if "CAP_DAC_READ_SEARCH" in capabilities:
            # Access model weights across nodes
            for node in cluster_nodes:
                weights = read_file(f"/proc/{training_pid}/root/model/weights.pt")
                exfiltrate_data(weights)
    

  2. Model Server Compromise

    # ShellTorch-style capability escalation
    def exploit_model_server():
        # Abuse CAP_SYS_ADMIN
        server_pid = find_torchserve_process()
        if has_capability(server_pid, "CAP_SYS_ADMIN"):
            # Manipulate model serving
            inject_malicious_model()
            modify_runtime_behavior()
    

  3. Registry Access Abuse

    # Ultralytics-style registry exploitation
    def exploit_registry():
        # Abuse excessive capabilities
        if process_has_capability("CAP_DAC_OVERRIDE"):
            # Modify model artifacts
            for model in registry.list_models():
                inject_backdoor(model)
                update_registry(model)