What is Privilege Escalation.
Privilege escalation is a type of Cyber-attack used to obtain unauthorized access to systems within the security perimeter, or sensitive systems, of an organization. Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. Privilege escalation attacks exploit weaknesses and vulnerabilities with the goal of elevating access to a network, applications, and mission-critical systems. This attack takes advantage of programming errors or design flaws to grant the attacker elevated access to the network and its associated data and applications. Not every system hack will initially provide an unauthorized user with full access to the targeted system. In those circumstances privilege escalation is required. There are two types of privilege escalation attacks including vertical and horizontal. Vertical attacks are when an attacker gains access to an account with the intent to perform actions as that user. Horizontal attacks gain access to account(s) with limited permissions requiring an escalation of privileges, such as to an administrator role, to perform the desired actions.
Vertical Privilege Escalation: Vertical privilege escalation occurs when an attacker gains access directly to an account with the intent to perform actions as that person. This type of attack is easier to pull off since there is no desire to elevate permissions. The goal here is to access an account to further spread an attack or access data the user has permissions to.
Horizontal Privilege Escalation: Horizontal privilege escalation is a bit tricky to pull off as it requires the attacker to gain access to the account credentials as well as elevating the permissions. This type of attack tends to require a deep understanding of the vulnerabilities that affect certain operating systems or the use of hacking tools.
Windows Privilege Escalation Techniques:
Access Token Manipulation: Windows uses access tokens to determine the owners of running processes. When a process tries to perform a task that requires privileges, the system checks who owns the process and to see if they have sufficient permissions. Access token manipulation involves fooling the system into believing that the running process belongs to someone other than the user who started the process, granting the process the permissions of the other user.
Techniques:
– Duplication: Duplicating an access token using the Windows DuplicateToken(Ex) and then using ImpersonateLoggedOnUserfunction or SetThreadToken function to assign the impersonated token to a thread.
– Impersonation: Creating a new process with an impersonated token using the DuplicateToken(Ex) function together with the CreateProcessWithTokenW function.
– Leveraging: Leveraging username and password to create a token using the LogonUser function. The attacker possesses a username and password, and without logging on, they create a logon session, obtain the new token and use SetThreadToken to assign it to a thread. In this method, an adversary has a username and password, but the user is not logged.
Bypass User Account Control: The Windows User Account Control (UAC) mechanism creates a distinction between regular users and administrators. It limits all applications to standard user permissions unless specifically authorized by an administrator, to prevent malware from compromising the operating system. However, if UAC protection is not at the highest level, some Windows programs can escalate privileges, or execute COM objects with administrative privileges.
DLL search order hijacking: Attackers can perform “DLL preloading”. This involves planting a malicious DLL with the same name as a legitimate DLL, in a location which is searched by the system before the legitimate DLL is used by the system. Often this will be the current working directory, or in some cases attackers may remotely set the working directory to an external file volume. The system finds the DLL in the working folder, thinking it is the legitimate DLL, and executes it. There are several other ways to achieve DLL search order hijacking:
– Replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction
– Performing search order DLL hijacking on a vulnerable program that has a higher privilege level, causing the attacker’s DLL to run at the same privilege level. This can be used to elevate privileges from user to administrator or from administrator to SYSTEM.
– Covering the attack by loading the legitimate DLLS together with the malicious DLLs, so that systems appear to run as usual.
Linux Privilege Escalation:
Enumeration : Attackers use automated tools to perform enumeration on Linux systems. In Linux systems, attackers use a process called “enumeration” to identify weaknesses that may allow privilege escalation. Enumeration involves:
– Using Google searches, port scanning and direct interaction with a system to learn more about it and see how it responds to inputs.
– Seeing if compilers, or high-level programming languages like Perl or Python, are available, this can allow an attacker to run exploit code.
– Identifying software components, such as web servers and their versions.
– Retrieving data from key system directories such as /etc, /proc, ipconfig, lsof, netstat and uname.
Kernel Exploit: From time to time, vulnerabilities are discovered in the Linux kernel. Attackers can exploit these vulnerabilities to gain root access to a Linux system, and once the system is infected with the exploit, there is no way to defend against it.
Attackers go through the following steps:
1) Learn about the vulnerabilities.
2) Develop or acquire exploit code.
3) Transfer the exploit onto the target.
4) Execute the exploit on the target.
Exploiting SUDO Rights: SUDO is a Linux program that lets users run programs with the security privileges of another user. Older versions would run as the super user (SU) by default. Attackers can try to compromise a user who has SUDO access to a system, and if successful, they can get gain root privileges.
A common scenario is administrators granting access to some users to perform supposedly harmless SUDO commands, such as ‘find’. However, the ‘find’ command contains parameters that enable command execution, and so if attackers compromise that user’s account, they can execute commands with root privileges.