What is Privilege Escalation ? | Defend Against Privilege Escaltion |
An attacker can gain access to the network using a non-admin user account and the next step would be to gain administrative privilege escalation.
Attacker performs privileges escalation attack which takes advantage of design flaws, programming errors, bugs, and configuration oversights in the OS and software application to gain administrative access to the network and its associated applications.
These privileges allows attacker to view critical/sensitive information, delete files, or install malicious programs such as viruses, Trojan, worms, etc.
Types of Privilege Escalation
Privilege escalation take place in two forms. They are vertical privilege escalation and horizontal privilege escalation:-
- Hotizontal Privilege Escalation : In a horizontal privilege escalation, the unauthorized user tries to access the resources, functions, and other privileges that belong to the authorized user who has similar access permissions. For instance, online baking user can easliy access user B’s bank account.
- Vertical Privilege Escalation : In a vertical privilege escalation, the unauthorized user tries to gain access to the resources and functions of the user with higher privileges, such as application or site administrators. For example, someone performing online banking can access the site using administrative function.
Privilege Escalation Using DLL Hijacking
Most windows application do not use the fully qualified path when loading an external DLL library; instead, they first search the directory from which they have been loaded. Taking this as an advantage, if attackers can place a malicious DLL in the application directory, the application program “.exe “ needs library.dll to install the application, and fails to specify the library.dll path Windows will search for the DLL in the same directory as program.exe, then that malicious DLL will load instead of the DLL, which allows the attacker to gain remote access to the target system.
Privilege Escalation By Exploiting Vulnerability
Attackers exploit software vulnerabilities by taking advantage of programming flaws in a program, service, or within the operating system software or kernel to execute malicious code.
Exploiting software vulnerabilities allows attacker to execute a command or binary on a target machine to gain higher privileges than the existing or bypass security mechanisms.
Attackers using these exploits can access privileges user accounts and crendentials.
Privileges Escalation Using Dylib Hijacking
OS X similar to windows is vulnerable to dynamic library attacks. OS X provides several legitimate methods such as setting the DYLS_INSERT_LIBRARIES environment variable, which are user specific. These methods force the loader to load malicious libraries automatically into a target running process. This helps an attacker to inject a malicious dylib in one of the primary directories and simply load the malicious dylib at runtime. Attackers can take advantage of such methods to perform various malicious activities such as stealthy persistence, run-time process injection, bypassing security software, bypassing Gatekeeper, etc.
Privilege Escalation Using Spectre and Meltdown Vulnerabilities
Spectre and Meltdown are vulnerabilities found in the design of the modern processor chips from AMD,ARM, and Intel.
the performance and CPU optimizations in the processors such as branch prediction, out of order execution caching, and speculative execution lead to these vulnerabilities.
Attackers exploit these vulnerabilities to gain unauthorized access and steal critical system information such as credentials, secret keys, etc. stored in the application’s memory to escate privileges.
Attackers may take advantage of this vulnerability to read adjacent memory locations of a process and access information for which he/she is not authorized.
Attackers may take advantage of this vulnerability to escalate privileges by forcing an unprivileged process to read other adjacent memory locations such as kernel memory and physical memory.
This leads to revealing of critical system information such as credentials, private keys, etc.
Other Privilege Escalation Techniques
- Access Token Manipulation
- Application Shimming
- File System Permission Weakness
- Path Interception
- Scheduled Task
- Launch Daemon
- Plist Modification
- Setuid and Setgid
- Web Shell
How to Defend Against Privilege Escalation
The best countermeasures against escalation is to ensure that users have the least possible or just enough privileges to use their systme effectively. In this case, even though the attacker succeds in gaining access to the low privileged account , he/she will not be able to gain administrative level access. Often, flaws in programming code allow such escaltion of privileges on a target system.
The following are the best countermeasures to defend against privilege escalation:
- Restrict the interactive logon privileges.
- Use encryption techniques to protect sensitive data.
- Run users and applications on the least privileges.
- Reduce the amount of code that runs with particular privilges.
- Implement multi-factor authentication and authorization.
- Perform debugging using bounds checkers and stress tests.
- Run services as unprivileged accounts.
- Test Operating system and application coding errors and bugs thoroughly.
- Implement a privilege separation methodology to limit the scope of programming errors and bugs.
- Patch and update the kernel regularly.
- Change UAC settings to “Always Notify”, so that it increases the visibilty of the user when UAC elevation is requested.
- restrict users from writing files to the search paths for applications.
- Continously monitor file system permissions using auditing tools.
- Use fully qualified paths in all the Windows applications.
- Ensure that all executables are placed in write-protected directories.
- In MAC operating systems, prevent plist files from being altered by users making them read-only.
- Block unwanted sytem utilites or software that may be used to schedule tasks.
- Patch and update the web servers regularly.
- Disable the default local administrator account.
I hope you get useful information there if you think anything to improve in this article you can comment below or if you need any help we will help you soon. If you are interested to learn hacking you can check here.
Originally published at https://exploitbyte.com on April 10, 2020.