Adversaries perform Privilege Escalation attacks by bypassing the controls that segregate users and applications from system resources. Privilege Escalation is not the primary goal of an attacker; however, it is pivotal in the attack chain. Here, an attacker can escalate passive access into accounts with elevated privileges, such as “SYSTEM” or root accounts, other administrative accounts, or user accounts with specific system access.
Modern operating systems and web applications mostly cater to multiple account types, divvied amongst those users and applications requiring lesser or greater degrees of privilege to perform various functions.
This architecture is designed to:
Restrict users from either maliciously or accidentally altering resources and functions reserved for higher privilege users (when exploited, this is a Vertical Privilege Escalation)
Ensure that different normal users can’t access each other’s functions and content (when exploited, this is a Horizontal Privilege Escalation attack).
While endeavoring to keep malicious actors out of a computing environment is a worthy endeavor, it has proven nearly impossible to achieve, given the perennial involvement of human behavior. Phishing emails continue to be highly effective, offering attackers an all but a guaranteed foot in the door. Since this problem hasn’t been met with a solution until now, more emphasis is placed on detection and containment in modern computing environments, so the value, and impact, of Privilege Escalation vulnerabilities, have risen dramatically as a result.
In 2019, a security researcher known as ‘SandboxEscaper’ published numerous critical Privilege Escalation flaws in Windows systems, including exploits able to manipulate Task Scheduler, Shell, and the Installer. After being made aware of the discoveries, Microsoft was quick to patch, but the severity of just four of these vulnerabilities was high, and the time between the public release of the bugs and the arrival of a patch would have been sufficient for any malicious actors at the Privilege Escalation stage.
Whether or not an attacker took advantage of the aforementioned vulnerabilities in the wild is not known. Still, there is an abundant supply of Privilege Escalation tools that can run administrative commands and steal confidential data because they are a fundamental component of the adversarial toolbox.
Vertical Privilege Escalation
Let’s suppose that attackers have compromised a vulnerable application, such as the webserver, to gain a foothold on the server’s host system. This access has allowed them to enter and explore the target system, but they are limited by the level of privilege of the compromised application, which is usually low. For this reason, they now need to circumvent the security controls and gain higher-level permissions to take full control of the system.
There are many techniques at their disposal, depending on the target system, the software, and the configuration. In the case above, our attackers have gained access to a Linux server, and so they are searching for misconfigurations and vulnerabilities in system services, SUID files, Sudo settings, wrong file permissions, vulnerabilities in the kernel… anything to gain “root” privileges (the highest level of access on Linux and other Unix derived systems).
Horizontal Privilege Escalation
In this scenario, suppose an attacker (or even a curious user) has legitimately logged into a bank’s online banking application that utilizes inadequate sanitization of returned requests. The attacker discovers that if they manipulate the URL by sequentially enumerating the numbers associated with the ID reference for the account page, they can glean information about other users’ banking details. Thus, they can potentially escalate their set of pre-defined privileges horizontally.
In short, organizations can significantly decrease their exposure to Privilege Escalation vulnerabilities adhering to best practices for infrastructure and application security.
Harden your servers and other components in your infrastructure of increased criticality.
Close unnecessary services and network ports.
Ensure defunct users and groups are deleted.
Ensure the files, directories, and services possess the correct permissions.
Adhere to a principle of least privilege when creating specialized users and groups, extending the minimum necessary privileges and file access relevant for the user.
Mandate robust authentication methods for users and customers, ensuring default credentials aren’t used, and effective password policies and multi-factor authentication are applied as rigorously as your environment will allow.
Stay abreast of the latest known vulnerabilities, ensure a reliable, continuously updated patch management system is in place, and implement an effective and continuous security assessment procedure within your environment.
Adhere to programming best practice and scrutinize the code in your applications for any common errors.
Verify enforcement of the principle of least privilege in functions, data files, URLs, controllers, services, and other resources. This implies protection against spoofing and elevation of privilege.