What is Privilege Escalation?
Privilege escalation is a type of vulnerability exploitation in a webapp or a network, where the attacker gains access to the higher-level privileges, where he can change or modify the properties and attributes of a user account, file, network config etc. without any authorization.
it can performed in a various ways by exploiting the existing flaws, network configuration, or in source code of software. Privilege It is a major threat to any Identity and Access Management systems of an organization.
Image source : https://dpsvdv74uwwos.cloudfront.net/statics/img/ogimage/privilege-escalation.png
here, the attacker will first try to exploit the existing vulnerabilities & gain access to higher level user in the network.
Mostly in the very first try, the attacker may surpass the defense system of an organization , but its IAM system won’t give them enough user rights to access or modify the data they need. Hence in these cases, Privilege Escalation is needed.
There are basically two types of such attacks:
- Horizontal Privilege Escalation.
- Vertical Privilege Escalation.
- In a horizontal Privilege Escalation attack, the attacker is not granted any extra privileges as to a general user. But, the attacker is able to access the data and information of users in the same level without any authorization.
- In a vertical Privilege Escalation attack , the attacker climbs up the ladder of all the roles available , i.e. from a user to super user to manager to admin to super admin , and can access and control every element of the network or the targeted file.
Performing Privilege Escalation in Windows
Access Token Manipulation –
Windows uses access tokens to verify which user owns the current running process. It then authenticates the user according to the access token provided and then allows and grants the user the permission to access data from a current ongoing process.
Privilege Escalation can be perform by manipulating these access tokens. The provided tokens can be forge and duplicate and then can be use by an attacker to spoof his identity. Windows thinks that the token provide is a valid token and grants attackers the access to sensitive information.
An attacker can also create a new process with the impersonated token and gain the access over the targeted data. Capturing the username and password of a windows user also allows an attacker to capture a session and grants him the permissions to access any user-sensitive data.
Bypassing UAC –
The User Account Control feature in windows differentiates regular users to the admin users. It limits every other user to a set of different and minimized personal permissions. Bypassing this mechanism can allow a user to escalate privileges without having administrative rights and the attacker can access the targeted data.
DLL search order hijacking –
Windows scans the present working directory and searched it for any legitimate DLL’s and lists them in a temporary block of memory. An attacker can inject a malicious DLL with a legitimate name in the already scanned directory to fool the system and get around the access limits. Upon execution of this DLL , a malicious code is then inject to the process and a Privilege Escalation exploit can be perform by the attacker.
Performing Privilege Escalation in LINUX distros
Kernel Exploits – As Linux is an open source OS, its source code is visible to everyone. An attacker goes though the source code, finds a vulnerability and then tries to exploit it. Kernel Exploits are perform by a Remote code injection or a probable backdoor find by an attacker using reconnaissance or any other Ethical Hacking practice which ultimately leads to a this attack.
Performing SUDO exploitation – SUDO is a Linux command/program that enables a user to perform tasks with slightly elevated rights. Whenever a user is granted a SUDO access, it’s stored in a file called “sudoers” in the Linux file system.
so, there are few commands like the “find” command which contain parameters, that may lead to code injection upon execution. This malicious code can either be use to directly edit the “sudoers” file, or can be use to directly perform a Privilege Escalation attack, as the attacker is already have super user access and is in a “sudoers” list.
Mitigation
such attacks can be mitigated in windows by ensuring that UAC is always on in every user account, Not allowing for the remote DLL’s to load, enabling safe DLL search mode, turning on firewalls and all security measures to ensure full protection.
In Linux, these types of Privilege Escalations can be protect by blocking programs such as FTP, CURL, or any programs. Also, never give SUDO rights to compilers, or text editors like vim, gedit, python, ruby, Nmap, Perl etc.
Sources
- https://www.cynet.com/network-attacks/privilege-escalation/
- https://www.netsparker.com/blog/web-security/privilege-escalation/
- https://searchsecurity.techtarget.com/definition/privilege-escalation-attack
written by: Priyansh Gupta
Reviewed By: Sayan Chatterjee
If you are Interested In Machine Learning You Can Check Machine Learning Internship Program
Also Check Other Technical And Non Technical Internship Programs
