When a system is breached, compromised or exploited, the attackers never stop after getting the initial access because it doesn’t give them privileged access. And the same thing goes in an offensive security assessment, i.e. infrastructure penetration testing or a red team assessment. Assessment activity doesn’t stop after getting the initial foothold; pen testers or red teamers try to move around in the network laterally, look for valuable and sensitive data and try to maintain their access using persistence techniques. This is where the importance of privilege attacks are linked, what happens and how to break the attack chain by preventing such exploitations.
Phases of hacking
The entire hacking process is divided into five phases, and those are:
I am gathering all possible information passively about the target without actively interacting with the target.
2. Scanning and Enumeration
She was interacting with the target and scanning it for vulnerabilities or security flaws.
3. Exploitation or Gaining access
Exploiting the found vulnerabilities and gaining initial access into the system or network.
4. Post-Exploitation or Maintaining access
Moving around in the network, looking for sensitive data and credentials to user accounts, escalating privileges to access authenticated resources etc.
5. Covering Tracks
Removing uploaded files, clearing logs of malicious activity, wiping the traces of lateral movement and privilege escalation, cleaning the system from backdoors, etc.
In this article, we’ll discuss one of the post-exploitation techniques from the five phases of hacking, which is Privilege Escalation.
Privilege Escalation is an essential step in the cyber kill chain and, according to the MITRE ATT&CK Framework, is categorised as an Enterprise Tactic, having the Tactic ID TA0004.
What are access controls?
To truly understand privilege escalation, access controls must be discussed beforehand.
Access controls are security controls that ensure that:
- Users are who they say they are (authentication)
- They are only accessing resources to which they are given access (authorisation)
In a nutshell, access controls regulate which users can access the systems in an organisation’s infrastructure. If they can, they are only accessing information and resources allowed to them. In today’s modern digital world, access controls are of paramount importance for any organisation with employees who connect to the internet daily.
Types of Access Controls
To ensure their data protection, organisations adopt the appropriate type of access controls per the sensitivity of data stored and processed by that organisation.
The four access control models are:
Discretionary access control (DAC)
DAC model is an old model that implements access controls by assigning access rights based on the rules specified by data owners or administrators.
Mandatory access control (MAC)
MAC is also an old model that implements access control policies such that the access rights are assigned based on central regulatory authority.
Role-Based Access Control (RBAC)
RBAC is the most common access control model today that utilises fundamental security principles, i.e. the principle of least privilege and the principle of separation. This model ensures that anyone accessing information or resources of an organisation has the relevant authority.
Attribute-Based Access Control (ABAC)
ABAC, the latest access control model, uses a more dynamic approach to determine whether the user accessing a resource is authorised or not. It utilises parameters like user information, time of access etc., to make access granting decisions.
Access control in the context of web applications
In web applications, access controls rely on authentication and session management. As explained before, authentication identifies the user and ensures that the user is legitimate.
While session management identifies which subsequent HTTP requests are received from that user, based on the two mentioned components, web application access controls decide whether the user is allowed to perform the intended actions.
Broken Access Control
Web Applications very commonly suffer from Broken access control vulnerabilities. This is because the web applications of today’s internet are very sophisticated and contain many complex interlinked functionalities. These complex functionalities give birth to the possibilities of potential business logic and access control flaws.
The access control exploitation cases are so diverse that any web application development and security team should ensure the access control logic is designed by humans manually and not by any automation tools.
What is privilege escalation?
Simply put, privilege escalation is a technique where the attacker tries to get higher level permissions and privileges than they currently have to have better control over the exploited system.
In an application, there are always two main types of users:
- Regular users
- Administrative users
In the case of operating systems, standard or regular users are the user account with minimal privileges in a Windows or Unix/Linux OS; and user, computer or service accounts with base-level permissions created in a domain-joined environment. Whereas the administrative users in the Windows OS are the Administrator account, the NT Authority/System account, and the Domain Admin in the case of a domain-joined environment, while in the case of Unix/Linux OS, the root user account is the administrator.
In the case of web or mobile applications, a standard or regular user account is the end-user using the application. In contrast, the administrative user account is the super user account responsible for the proper and secure workflow of the application.
How does privilege escalation work?
When an attacker gets access to a system, they may not have access to perform every operation, make changes or read data on that system. Such privileges are usually only given to system administrators. So after gaining initial access, the goal of any attacker is to gain administrator privileges on that system so that they may leverage that breach to its full extent.
To achieve his/her goal, the attacker starts the process by enumerating information about the system that they can leverage to:
- Either escalate his privileges to a system administrator. This process is known as vertical privilege escalation.
- Or gain access to other accounts on the system. This process is known as horizontal privilege escalation.
This information then helps the attacker create a pathway from their current location, i.e. the low-privileged user they currently control, to the system administrator with the privileges to achieve any of their malicious goals.
Common privilege escalation techniques
Privilege escalation techniques take advantage of weak passwords, misconfigured applications running with elevated access, security misconfigurations within the operating system, publicly known vulnerabilities in running applications etc.
The goal of privilege escalation attack
An attacker’s ultimate goal is to get complete access and control of an exploited system, and privilege escalation attacks help the attackers achieve this goal. Therefore, the plans for the privilege escalation attack are:
1. Accessing authenticated data
Privilege escalation attacks help the attacker access data that requires authentication or is not accessible to the attacker’s current privileges.
2. Getting super-usersuperuser the system
Privilege escalation attacks help the attacker elevate their current level of access and permissions to those of a super-usersuperuserinistrator to gain complete control of the exploited system, network or application.
What are the types of privilege escalation?
While the main objective of privilege escalation is to gain access and authorised data, types of privilege escalation can be categorised into the following two types, according to the level of permissions, privileges and the kind of access:
Horizontal privilege escalation
Horizontal privilege escalation (sometimes called a lateral movement) is a privilege escalation technique where an attacker tries to gain access to the data they are not authenticated.
Horizontal privilege escalation involves gaining access to user accounts with the same privileges but having access to different data.
Privilege escalation horizontal is also called a lateral movement; it is different from vertical privilege escalation; the attacker goes on exploiting and gaining access to other user accounts on the same application, computer or network, thereby increasing his radius of access on the application, system or network.
Let’s say an attacker has an initial foothold on a target system as the user ‘bob’. They enumerate the user accounts on the system and find a few other user accounts, out of which one user, let’s say ‘john’ seemed interesting because john had gained access to the financials of the target organisation. The attacker continues to enumerate the file system, and they come across a file named ‘credentials.’ They open it and find the credentials to the user account john. They switch users from bob to john, and now the attacker has also gained access to the target organisation’s financials.
Vertical privilege escalation
Vertical privilege escalation is a privilege escalation technique that involves gaining a higher level of access than the attacker.
This usually involves targeting administrative accounts on the application or system and gaining access to them or exploiting services or applications on the OS running with administrative or higher access.
For the example of a vertical privilege escalation attack, let’s say an attacker gets an initial foothold on the target system as a regular user. But they have limited control over the system. They enumerate the file and operating system, running services and installed applications and find that one of the applications installed is running with administrative access and is an older version. They look for publicly known exploits for that application specific to that version and find a few proofs of concept exploit codes for escalating privileges. The attacker then gets the PoC code, modifies it according to their own needs, runs the code, and gets administrative-level access to the target system. Now the attacker has complete control of the target system; they can disable the system’s defence mechanisms, establish persistence, install backdoors, breach sensitive data, etc.
How do we discover privilege escalation vulnerabilities?
Privilege escalation misconfigurations and vulnerabilities arise when the system administrator misconfigures the system. This incorrect configuration may include leaving administrative accounts with weak passwords, deploying misconfigured services and running them with administrative access, installing older and vulnerable versions of application software, leaving credentials unprotected on the system, and so on.
Discovering privilege escalation misconfigurations and vulnerabilities requires a good understanding of OS, file system and permissions and a sharp eye. These misconfigurations are found by extensive enumeration of the operating system and the file itself.
Privilege escalation enumeration checklist
Once an attacker gains initial access to a system, they enumerate information about the system that can help the attacker in the process of privilege escalation. In this section, critical information is looked at that can be helpful for an attacker to escalate privilege and gain root access on a Linux system or administrator access on a windows system.
Host and Network information
Identifying IP addresses, hostnames, and network routes can help identify network schemes that can lead to gaining initial access to other workstations in the network, also known as lateral movement.
Identifying current user details and privileges, other users on the system, root or administrator accounts, etc., can compromise user accounts whose sensitive data is leaked or running any vulnerable applications on the system.
Privileged Access Information
They are identifying if the attacker can run any application as root by either using SUDO or by running SUID binaries on a Linux system that can allow the attacker to escalate privilege on that system.
If scheduled jobs are running as root or any other user on the system, the attacker can exploit them to perform vertical or horizontal privilege escalation.
Misconfigured or vulnerable applications and services
If the attacker can identify any misconfigured services or applications running as root, the attacker can exploit those misconfigurations for privilege escalation. Similarly, if applications run on vulnerable versions for which exploits are available, attackers can leverage those exploits to gain root access to the system.
Common privilege escalation misconfigurations and vulnerabilities
Below we explore some common privilege escalation misconfigurations and vulnerabilities according to both Linux and Windows OS.
Exploiting sudo rights
Linux OS contain a sudoers file in the/etc. The directory contains the configuration for sudo rights on the system. The sudo command, which stands for (Super User and Do) allows the attacker to run the program specified in the sudoers file as the root user. If the program can be used to invoke shell or write sensitive files such as /etc/passwd, the attacker can easily gain root access.
Exploiting SUID binaries
Set User ID (SUID) is a permission bit on Linux files which, when set, allows the user to run the binary with the permission of the file’s owner. For example, assume a user Alex is logged in on a Linux environment, and there is a file in /var/ directory named test_script.sh with SUID bit set owned by bob. When Alex runs the script, the script runs as the user bob instead of Alex. This is because the SUID bit allows Alex to run the script with the access of the script’s owner, which in this case is bob.
Exploiting kernel exploits is one of today’s most common ways to escalate privilege. If the OS runs with a vulnerable kernel version, there may be some privilege escalation exploit that the attacker can leverage to gain root access to the system. For example, if the attacker gains initial low privileged user access on a Linux system running the Linux Kernel 3.5. The attacker can leverage the Dirty Cow exploit to gain root access to the system.
Linux privilege escalation with Dirty COW
Many web servers are often used for hosting websites and web applications. Many printers, routers, and Internet of Things (IoT) devices use web servers to provide their administrative interface. Once compromised, such a device can be used to launch further attacks within the local network. Attackers need to gain access to a regular, unprivileged user account by exploiting a bug or misconfiguration. A local privilege escalation attack dubbed Dirty COW (Dirty Copy-On-Write) only affects older and unpatched systems.
Exploiting PATH variable
PATH is an environmental variable in Linux operating systems that specifies all the directories in which executable programs reside. When a user runs a command on a Linux terminal, the terminal fetches the command-line tool from the directory paths mentioned in the $PATH variable. The attacker can view the contents of the $PATH variable by executing the “echo $PATH” command.
For example, assume the attacker gains an initial foothold on a Linux machine as a low-privileged user named alex. The attacker checks the contents of the $PATH variable and finds that “.” is specified in the $PATH variable. This implies that binaries or scripts can be executed from the current directory. The attacker finds a script.sh file in /home/alex, which is a root owned binary with SUID bit set.
This means the script will be executed as the root user. The script was written without taking security into consideration, and the whoami command was called in the script to be executed without specifying the full path of the binary. The attacker creates a new script called “whoami” in the /home/alex directory and writes malicious content to it. When the attacker executes the script.sh, it calls whoami from the current directory instead of calling the original binary from /usr/bin/ directory.
Unquoted Service Paths
When a service is created in Windows and its executable path is not enclosed in quotes, the attacker can leverage this misconfiguration to replace the service executable with their own malicious executables. If the service runs as the administrator user, the attacker can gain administrator privileges simply by exploiting this misconfiguration.
For example, assume a service is running as an administrator with the following path
C:Program FilesFirst FolderSecond FolderThird FolderSomeExecutable.exe
If the attacker has the privileges to write on any one of the folders mentioned in the above path, they can drop a malicious executable in that folder and get command execution as administrator. Assume that the attacker dropped a malicious file named Second.exe in “First Folder”. Windows OS will treat Second.exe as the service binary instead of checking further sub-folders. If the service was run in auto-start mode, the attacker only has to wait for the system to reboot and they will get their malicious code executed.
Real-world privilege escalation examples and attacks
In this section, we’ll discuss some of the real-world applications that are found to be vulnerable to privilege escalation attacks.
1. The SUDO authentication bypass bug (CVE-2019-14287)
The SUDO binary version 1.8.27 was vulnerable to a buffer overflow vulnerability and since sudo binary runs in an elevated context, that is with root user permissions, an attacker can easily exploit this vulnerability bypass root authentication and gain root access to the target Linux system.
2. Polkit local privilege escalation (CVE-2021-3561)
Polkit is a Linux system binary that is installed by default and is utilised by the systemd. So any Linux distribution that uses systemd has polkit installed. Polkit version 0.105-26 (Ubuntu) and 0.117-2 (Fedora) suffer from a local privilege escalation vulnerability that any attacker can abuse and gain root access to the target system.
3. SAPSprint unquoted service paths
SAPSprint is a Windows utility that is used to print output to a remote Windows server. SAPSprint 7.60 is prone to a local privilege escalation vulnerability due to unquoted service paths. This means an attacker can easily place a malicious file in one of the installation directories of this service and execute code as the Administrator user.
4. Remote mouse local privilege escalation (CVE-2021-35448)
The remote mouse is an application that turns your mobile phone into a mouse. It requires the remote mouse application to be installed on the mobile phone and a client application to be installed on the Windows operating system.
The windows privilege escalation makes windows client suffers from a local vulnerability and an attacker can very easily exploit this vulnerability to get administrative level privileges on the target window operating systems.
5. Jailbreaking and rooting
Privilege escalation vulnerabilities are not only found in Linux/Windows operating systems and web/mobile applications, but a large application of local privilege escalation vulnerability lies in rooting or jail-breaking your mobile device.
Rooting your android device or jailbreaking your iphone means you want to have administrative, root or superuser your mobile device.
How to prevent privilege escalation?
Preventing Privilege Escalation attacks consist of advanced dynamic attack vectors that require defence-in-depth strategies for detection and protection. However, implementing below mentioned best practices can help an organisation protect their infrastructure from privilege escalation and lateral movement attacks.
1. Strong password policies
Most cyber-attacks of any kind leverage some kind of password weakness in their process. An organisation must enforce strong password policies requiring users to select unique and secure passwords and change them regularly.
Users should not store any passwords on the drive unencrypted, which may be leveraged by attackers to compromise user accounts. Lastly, never use default credentials on any of the services or applications as an accessible service with default credentials can be an easy initial access target for an attacker.
2. Principle of least privileges
Practice the principle of least privilege. This means that an organisation must review their existing user accounts to ensure that no user is granted any privileges that do not correspond to their roles. So even if an attacker compromises an account, they cannot escalate privileges to administrators or perform lateral movement. And most importantly, make sure to delete any unused accounts, especially after the departure of any employees.
3. System hardening
Block all unused ports on the network. Attackers use unused ports to create reverse shells to their command and control servers. Moreover, users who are only supposed to read a certain file should not be granted write access to it. This control will prevent attackers from changing system configurations by writing to files only accessible to administrators.
Do not forget to enable Data Execution Prevention (DEP) features on your Windows or Linux (NX bit).
4. Patch management and regular system updates
Many of the privilege escalation attacks leverage kernel exploits and known vulnerabilities in the applications running on the system. An organisation must ensure that operating systems are regularly updated on every workstation and no known vulnerable applications are running on these systems. In order to stay updated, administrators should keep track of operating system and application release notes for the latest security patches.
5. Constant and regular monitoring and auditing
Proactively monitor all privileged accounts and their sessions to identify any suspicious activity that might indicate a compromised account. Attackers run certain enumeration commands for gathering information in order to facilitate their privilege escalation process. The execution of these commands can be monitored to detect any potential privilege escalation attempt.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.