Which of the following is an example of privilege escalation?

Privilege Escalation

Privilege escalation is using a vulnerability to gain privileges other than what was originally intended for the user. There are two main types of privilege escalation: horizontal and vertical. You need to understand these types of privilege escalation and how to protect against privilege escalation in general.

Scenario 3: Horizontal Escalation

Horizontal privilege escalation can allow an attacker to gain access to data that may not necessarily belong to him. In poorly designed applications, an attacker may have the capability of identifying flaws within a Web application that allows him access to other users' information. Once access is gained to another users' data or account via leveraging flaws, he may modify, copy, destroy, or use the data for his needs.

In this scenario, the attacker works as a telemarketer for a training company that sells training to potential students who want to pass information technology (IT) certifications. The job is okay, but sometimes it feels like all our attacker does is make calls and cross his fingers whether the call will result in a sale. Part of the job is to track all of the potential sales or “leads” in a custom Web application developed by corporate application developers. All telemarketers are required to keep track of their leads and the progress made toward a sale.

Our attacker is having a slow month and needs to make sure he is performing well so he can keep his job. He notices that if he changes the employee ID number displayed in the URL of the lead-tracking Web application, he can see and modify other telemarketers' leads. He decides to change the employee ID to one of the employees he works with (but is not too fond of) and views the status of several of the coworker's leads.

Since the attacker has successfully performed a horizontal escalation of privileges attack and can view and modify the coworker's leads, he decides to use this access to make his productivity numbers look better than they currently are. The attacker deletes a few of the coworker's leads and can now re-create the leads under the context of his own account. The attacker has now “skimmed” several of the accounts and improved his productivity numbers, keeping him well within range of another successful sales month.

Attacks such as the one described in this scenario are still relevant today and pose a significant security threat to organizations. Imagine if this type of scenarios was played out against your online backing account. What dangers could you think of? What if another customer from your bank was able to access your account by using horizontal privilege escalation attacks?

Escalate privileges

Depending on the goal, strategy, and chosen TTPs, the guerilla band can find themselves in the position where they have limited access rights on the device (server, laptop, etc.) after first compromise. For example, if the hacker group successfully exploited a vulnerability in the web server software they have the access rights of that software on the underlying operating system. If they have infected a regular employee (eg, through spear phishing), they have the access rights of the employee on his workstation. As this is not always a sufficient form of access, the hacker group can perform so-called “vertical privilege escalation”: upgrading the access rights from the current user or process to the user or process with higher access rights on the compromised machine (such as an administrator). By doing so, the guerilla band can retrieve important system files (such as the file where the passwords of other users are stored), create backdoors more easily, and possibly login to other systems and services (so-called “lateral movement,” which will be described later).

Common vertical privilege escalation paths are as follows:

Searching for passwords of higher privileged accounts that are stored in (configuration) files on the compromised machine.

Editing scripts or (service) executables that are launched with high privileges (eg, during boot time).

Editing the source code of a web application that is running with high privileges.

Exploiting a common or zero-day vulnerability in the operating system or web application that is running with high privileges.

Misuse configuration errors, such as unquoted service paths in Windows.

It is important to understand that vertical privilege escalation is optional. As discussed earlier, the guerilla band should not perform privilege escalation if it does not serve a purpose or when it is just used to show off to others. For many TTPs it is sufficient to have a compromised machine that just provides network-level access to the target network, without requiring high privileges on that specific machine.

Privilege Escalation on Unpatched Servers

Even if OPENROWSET is probably the most common privilege escalation vector on SQL Server, it is not the only one: If your target database server is not fully updated with the latest security patches, it might be vulnerable to one or more well-known attacks.

Sometimes network administrators do not have the resources to ensure that all the servers on their networks are constantly updated. Other times, they simply lack the awareness to do so. Yet other times, if the server is particularly critical and the security fix has not been carefully tested in an isolated environment, the update process could be kept on hold for days or even weeks, leaving the attacker with a window of opportunity. In these cases, a precise fingerprinting of the remote server is paramount in determining which flaws might be present and whether they can be safely exploited.

At the time of this writing, the latest vulnerability affecting SQL Server 2000 and 2005 (but not SQL Server 2008) is a heap overflow found by Bernhard Mueller in the sp_replwritetovarbin stored procedure. Disclosed in December 2008, it enables you to run arbitrary code with administrative privileges on the affected host; exploit code was made publicly available shortly after the vulnerability was published. Also at the time of this writing, no security fix had yet been released, and the only workaround is to remove the vulnerable stored procedure. You can exploit the vulnerability through SQL injection by injecting a malicious query that calls sp_replwritetovarbin, overflowing the memory space and executing the malicious shell code. However, a failed exploitation can cause a denial of service (DoS) condition, so be careful if you attempt this attack! More information about this vulnerability is available at www.securityfocus.com/bid/32710.

Privilege escalation

Our last category of major database security issues is that of privilege escalation. In essence, privilege escalation is a category of attack in which we make use of any of a number of methods to increase the level of access above what we are authorized to have or have managed to gain on the system or application through attack. Generally speaking, privilege escalation is aimed at gaining administrative access to the software in order to carry out other attacks without needing to worry about not having the access required.

As we mentioned earlier in the chapter, SQL injection is a very common attack against databases that are accessible through a Web interface and is largely an issue of not filtering or validating inputs properly. SQL injection can be used to gain information from the database in an unauthorized manner, modify data contained in the database, and perform many other similar activities. SQL injection can also be used to gain or escalate privileges in the database.

One of the more common SQL injection examples is to send the string “or” 1′=1′ as the input in a username field for an application. If the application has not filtered the input properly, this may cause it to automatically record that we have entered a legitimate username, which we have clearly not done, allowing us to potentially escalate the level of privilege to which we have access.

Privilege Escalation

In this section we will run a quick break down of privilege escalation exploits and methodologies that have given attackers root access in the past. Unix permissions are set up to be very useful and incredibly powerful if handled appropriately. Most of the functionality built into the permissions assumes that you know what you’re doing. This has always been the way of Unix. When it comes to permissions on OS X some users may be clueless. Escalation issues can arise when an untrained user begins to change permissions without knowing what they are doing. Issues can also arise when a user simply installs software without knowing what comes packaged with it. The more software you have running as root, the higher the chances are that an attacker may be able to exploit one of these packages.

Raising Credentials

Raising credentials is the most common task that almost all local privilege escalation exploits perform. Credentials are kept in one or more structures contained in the process control block and they describe what a process is allowed to do. Storing credentials can be as simple as an integer value identifying the user, as in the traditional UNIX root/generic user model, or representing a whole set of privileges or security tokens, as is usually the case when a role-based access control system and the least privilege model are in place (tokens are the typical privilege model on Windows). Different operating systems use different authentication and authorization models, but most of the time the sequence that leads to a certain user being authorized or denied a set of operations can be summarized in the following steps:

The user authenticates itself on the system (e.g., through the classic login/password mechanism).

The system gives the user a set of security credentials.

The authorization subsystem uses these credentials to validate any further operation that the user performs.

After the user has correctly logged in (the authentication phase), the kernel dynamically builds the series of structures that holds information related to the security credentials assigned to the user. Every new process spawned by the user will inherit the aforementioned credentials, unless the user specifies differently (the operating system always provides a way to restrict the set of privileges at process creation time). Whenever a process wants to perform an operation, the kernel matches the specific request with the stored set of credentials and either executes the operation on top of the process or returns an error.

The goal of the shellcode is to modify those credentials so that an extended set of privileges is granted to your user/process. Since the credential structures are stored inside the process control block, it is usually quite easy to reach them from inside your shellcode. There are two main ways to identify the correct values to change:

You can use fixed/hardcoded offsets and perform very simple safety checks before using them. For example, if you need to dereference a pointer to reach a structure, you would just check that the address you are about to dereference is within the kernel-land address space.

You can use a heuristic approach. Credential structures have a precise layout in memory, and you know what credentials you were granted. Based on that, you perform a pattern match in memory to find the correct values to change. Relative offsets inside a structure may change, and using this heuristic approach you can figure out the correct place at runtime.

In general, a hybrid approach can be used against nearly all kernels, identifying the offsets that have been constant over the years and using more or less sophisticated heuristics to derive the other ones. A typical and effective heuristic is to look for specific signatures of structure members that you can predict. For example, a process-based reference counter would have an upper bound value with the number of processes (easy to check), or in a combined environment a kernel address will always have a value higher (or lower, depending on where the kernel is placed) than the split address.

3.8 Code Injection Attacks

Code injection is a dangerous attack that exploits a bug caused by processing invalid data. Injection is used by an attacker to introduce (or “inject”) code into a vulnerable computer program and change the course of execution. The result of successful code injection is often disastrous (for instance: code injection is used by some computer worms to propagate).

Injection flaws occur when an application sends untrusted data to an interpreter. Injection flaws are very prevalent, particularly in legacy code. They are often found in SQL, LDAP, Xpath, or NoSQL queries; OS commands; XML parsers, SMTP headers, program arguments, etc. Injection flaws are easy to discover when examining code, but frequently hard to discover via testing. Scanners and fuzzers can help attackers find injection flaws.

Injection can result in data loss or corruption, lack of accountability, or denial of access. Injection can sometimes lead to complete host takeover.

Code injection techniques are popular in system hacking or cracking to gain information, privilege escalation or unauthorized access to a system. Code injection can be used malevolently for many purposes, including:

Arbitrarily modify values in a database through a type of code injection called SQL injection. The impact of this can range from website defacement to serious compromise of sensitive data.

Install malware or execute malevolent code on a server, by injecting server scripting code (such as PHP or ASP).

Privilege escalation to root permissions by exploiting Shell Injection vulnerabilities in a setuid root binary on UNIX, or Local System by exploiting a service on Windows.

Attacking web users with HTML/Script injection (cross-site scripting).

To build embedded systems or the large computer systems that control them in such a way as to prevent code injection the important thing is to detect and isolate managed and unmanaged code injections by:

Runtime image hash validation. Capture a hash of a part or complete image of the executable loaded into memory, and compare it with stored and expected hash.

Enforce at the processor (hardware) level a rule that no data coming from outside the processor can ever be instructions to execute. On some processors such as x86, a bit such as the NX bit allows data to be stored in special memory sections that are marked as nonexecutable. The processor is made aware that no code exists in that part of memory, and refuses to execute anything found in there.

General Risks

Let's continue by looking at the following general risks:

Network failures

Privilege escalation

Social engineering

Loss or compromise of operational and security logs or audit trails

Backup loss

Unauthorized physical access and theft of equipment

Natural disasters

General Risks

Let’s continue by looking at the following general risks:

Network failures

Privilege escalation

Social engineering

Loss or compromise of operational and security logs or audit trails

Backup loss

Unauthorized physical access and theft of equipment

Natural disasters