Privilege escalation

As privilege escalation , and rights increase, privilege escalation or privilege escalation called, refers to the use of a Computerbugs or a design or configuration error of software with the aim of a user or application access to give to resources, their use with limited rights can not be is.

background

Most computer systems are designed as multi-user systems that contain a concept for the management of access rights . Extension of rights means that a user receives rights that he normally does not have. These permissions can be used to delete files, access and change other users' private information. It is also possible to install unwanted programs. Privilege escalation occurs when there are errors in the system in question that make it possible to circumvent the security concept.

There are two variants:

Vertical expansion of rights: Increasing access rights by a user or an application with the aim of being able to use resources that are actually reserved for higher privileged users, mostly from other user groups. Example: Installation of driver software by a user who has obtained administrative rights.

Horizontal rights extension: A normal user accesses functions or content reserved for other normal users. Example: User A and user B belong to the same user group, but user B also has the right to access the network. User A also obtains this right by horizontally extending rights.

Vertical privilege escalation

Authorization levels on x86 processors in protected mode

This type of privilege extension occurs when the user or the application process is able to obtain administrator or even system rights, possibly even through kernel operations.

Examples of vertical privilege escalation

Highly privileged processes often require that the data entered correspond to the interface specification and do not check the same. An attacker may then be able to exploit this requirement in such a way that unauthorized code is executed by the highly privileged application:

Some Windows system services are configured in such a way that they run in the context of the system user account. A vulnerability, e.g. B. a buffer overflow can be exploited to execute arbitrary code in the context of the system user account.

In older versions of Microsoft Windows - the operating system , the screen saver is running in the context of the SYSTEM user account. Any account that the screen saver application could replace with its own application was granted system privileges.

On current Windows versions, Stuxnet uses a gap in the task planner that has now been closed, which was created by an XML file that was insufficiently secured using CRC32 . A task that had been created by a normal user could be changed afterwards by manipulating the XML file so that it was started with the rights of the system user account.

In some versions of the Linux kernel , it was possible to obtain root privileges through null pointer referencing. The cause was a mutex in the kernel that was released too early .

A security hole in the udev service made it possible to gain root rights under Linux by means of manipulated netlink messages to udev, locally or via the network.

Certain versions of the Linux kernel made it possible to write a program that could create a child process and set its current directory to /etc/cron.d. This child process has been marked to create a memory dump in the event of a crash . Then the child process was artificially ended. The memory image was saved in the currently set directory, i.e. in /etc/cron.d, and the root account was entered as the owner. Cron will now automatically execute the file. Since the content of the file was determined by the attacker in the original program, the attacker was able to execute arbitrary code with root rights.

Cross-zone scripting is a variant of attack in which a website subverts the security model of web browsers in order to be able to execute code on the client computer with higher privileges.

Another variant of the extension of rights is called jailbreak. This means unlocking or bypassing mostly DRM -protected systems, for example to run unapproved apps on the iPhone or to use homebrew computer programs on game consoles. These systems mostly work on the basis of a sandbox , which is broken out by means of privilege escalation.

Mitigation strategies

The following strategies reduce the risk of falling victim to a privilege escalation:

Data Execution Prevention
Address Space Layout Randomization
Pointer Authentication (PAC)
General deactivation of the administrator SID for certain applications.
Kernel-mode code should only run if it has been digitally signed.
Use of the latest antivirus software.
Regular software updates.
Use of compilers in software development that check for buffer overflows.
Encryption of software and / or firmware components.
Reduction of the rights of a more privileged user (e.g. administrator ), least privilege.

Horizontal extension of rights

Horizontal privilege escalation occurs when the attacker succeeds in gaining access to resources that are reserved for another user who, however, is not himself highly privileged. The result is that the application or the user performs actions in a different security context than originally intended by the application developer or system administrator.

Examples of horizontal privilege escalation

This problem is common in web applications. Example:

User A has access to his account in an internet banking application.
User B has access to his account in the same internet banking application.
The vulnerability occurs when User A is able to access User B's account through malicious activity.
This malicious activity can be caused by weaknesses or gaps in the common web application.

Potential vulnerabilities in web applications are:

Predictable session IDs in the HTTP cookie .
Session fixation
Cross-Site Scripting (identity theft)
Easy to guess passwords .

Individual evidence

↑ Heise online: 27C3: Microsoft security expert reports on Stuxnet hunt . December 28, 2010. Retrieved December 29, 2010.
↑ Heise online: A hole in the Linux kernel allows root access . November 4, 2009. Retrieved December 29, 2010.
↑ Websicherheit.org: Vulnerabilities in the udev service allow elevation of rights . April 16, 2009. Retrieved December 29, 2010.
↑ SecuriTeam: Linux Kernel 2.6.x PRCTL Core Dump Handling . July 13, 2006. Accessed December 31, 2010.
↑ https://lwn.net/Articles/718888/
↑ Least privilege - OWASP. Accessed November 13, 2018 .

[1] Heise online: 27C3: Microsoft security expert reports on Stuxnet hunt . December 28, 2010. Retrieved December 29, 2010.

[2] Heise online: A hole in the Linux kernel allows root access . November 4, 2009. Retrieved December 29, 2010.

[3] Websicherheit.org: Vulnerabilities in the udev service allow elevation of rights . April 16, 2009. Retrieved December 29, 2010.

[4] SecuriTeam: Linux Kernel 2.6.x PRCTL Core Dump Handling . July 13, 2006. Accessed December 31, 2010.

[5] ttps://lwn.net/Articles/718888/

[6] Least privilege - OWASP. Accessed November 13, 2018 .