Privilege escalation


Privilege escalation

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

Contents

Background

Most computer systems are designed for use with multiple users. Privileges mean what a user is permitted to do. Common privileges including viewing and editing files, or modifying system files.

Privilege escalation means a user receives privileges they are not entitled to. These privileges can be used to delete files, view private information, or install unwanted programs such as viruses. It usually occurs when a system has a bug that allows security to be bypassed or, alternatively, has flawed design assumptions about how it will be used. Privilege escalation occurs in three forms:

  • Vertical privilege escalation, also known as privilege elevation, where a lower privilege user or application accesses functions or content reserved for higher privilege users or applications (e.g. Internet Banking users can access site administrative functions or the password for smartphone can be bypassed.)
  • Horizontal privilege escalation, where a normal user accesses functions or content reserved for other normal users (e.g. Internet Banking User A accesses the Internet bank account of User B)
  • Privilege descalation, where a high privileged, but segregated user (e.g. user/security administrator, commonly seen in a SOx environment) is able to downgrade their access level to access normal user functions

Vertical privilege escalation

Privilege rings for the x86 available in protected mode

This type of privilege escalation occurs when the user or process is able to obtain a higher level of access than an administrator or system developer intended, possibly by performing kernel-level operations.

Examples of vertical privilege escalation

In some cases a high-privilege application assumes that it will only be provided with input that matches its interface specification, and doesn't validate the input. An attacker may then be able to exploit this assumption so that unauthorized code is run with the application's privileges:

  • Some Windows services are configured to run under the Local System user account. A vulnerability such as a buffer overflow may be used to execute arbitrary code with privilege elevated to Local System. Alternatively, a system service that is impersonating a lesser user can elevate that user's privileges if errors are not handled correctly while the user is being impersonated (e.g. if the user has introduced a malicious error handler)
  • Under some legacy versions of the Microsoft Windows operating system, the All Users screensaver runs under the Local System account - any account that can replace the current screensaver binary in the file system or Registry can therefore elevate privileges.
  • In certain versions of the Linux kernel it was possible to write a program that would set its current directory to /etc/cron.d, request that a core dump be performed in case it crashes and then have itself killed by another process. The core dump file would have been placed at the program's current directory, that is, /etc/cron.d, and cron would have treated it as a text file instructing it to run programs on schedule. Because the contents of the file would be under attacker’s control, the attacker would be able to execute any program with root privileges.
  • Cross Zone Scripting is a type of privilege escalation attack in which a website subverts the security model of web browsers so that it can run malicious code on client computers.
  • There are also situations where an application can use other high privilege services and has incorrect assumptions about how a client could manipulate its use of these services. An application that can execute Command line or shell commands could have a Shell Injection vulnerability if it uses unvalidated input as part of an executed command. An attacker would then be able to run system commands using the application's privileges.
  • Texas Instruments calculators (particularly the TI-85 and TI-82) were originally designed to use only interpreted programs written in dialects of TI-BASIC; however, after users discovered bugs that could be exploited to allow native Z-80 code to run on the calculator hardware, TI released programming data to support third-party development. (This did not carry on to the ARM-based TI-Nspire, for which jailbreaks have been found but are still actively fought against by Texas Instruments.)
  • Some versions of the iPhone allow an unauthorised user to access the phone while it is locked.[1]

Jailbreaking

A jailbreak is the act or tool used to perform the act of breaking out of a chroot or jail in UNIX-like operating systems or bypassing digital rights management (DRM). In the former case, it allows the user to see files outside of the filesystem that the administrator intends to make available to the application or user in question. In the context of DRM, this allows the user to run arbitrarily defined code on DRM-encumbered devices as well as break out of chroot-like restrictions. DRM-encumbered devices such as the Xbox, PSP, iPhone, iPod touch and iPad have repeatedly been subject to jailbreaks, allowing the execution of arbitrary code, but have had those jailbreaks disabled by vendor updates.

The iPhone in particular has been a fertile battle ground.[2][3] The iPod Touch/iPhone hacking community however, responds to the newest vendor updates by creating new ways to enable third party apps almost immediately. It was only in the wake of the popularity of the iPhone that the term jailbreaking became well known in popular culture worldwide.[citation needed]. Jailbreaking has expanded to support Cydia, a third-party "App store" to install ysem teaks and binaries. To prevent iOS jailbreaking, Apple has made the boot-rom to execute checks for SHSH blobs for not allowing Custom kernels to be uploaded to the system, and prevent software downgrade to earlier, jailbreakable firmwares. exploits permit execution of unsigned code in the device, and allow modifying the System to finally install Cydia. With an untethered jailbreak, The iBoot environment is changed to execute a boot-rom exploit and allow submission of a patched Low level boatloader or hack the kernel to submit the jailbroken kernel after the SHSH check.


A similar method of jailbreaking exists for S60 Platform smartphones, which involves installing softmod-style patches which involves patching certain ROM files while loaded in RAM[4][5] or edited firmware (similar to the M33 hacked firmware used for the PlayStation Portable)[6] to circumvent restrictions on unsigned code. Nokia has since issued updates to curb unauthorised jailbreaking, in a manner similar to Apple.

Complaint. Sony vs Hotz, et al.

In the case of gaming consoles, jailbreaking is often used to execute homebrew games. In 2011, Sony, with assistance from law firm Kilpatrick Stockton, sued 21 year old George Hotz and associates of the group fail0verflow for jailbreaking the Playstation 3.[7]

Charges filed included:[8]

Mitigation strategies

Operating systems and users can use the following strategies to reduce the risk of privilege escalation:

Horizontal privilege escalation

Horizontal privilege escalation occurs when an application allows the attacker to gain access to resources which normally would have been protected from an application or user. The result is that the application performs actions with the same but different security context than intended by the application developer or system administrator; this is effectively a limited form of privilege escalation (specifically, the unauthorized assumption of the capability of impersonating other users).

Examples of horizontal privilege escalation

This problem often occurs in web applications. Consider the following example:

  • User A has access to his/her bank account in an Internet Banking application.
  • User B has access to his/her bank account in the same Internet Banking application.
  • The vulnerability occurs when User A is able to access User B's bank account by performing some sort of malicious activity.

This malicious activity may be possible due to common web application weaknesses or vulnerabilities.

Potential web application vulnerabilities or situations that may lead to this condition include:

See also

References


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Escalation — is the phenomenon of something getting more intense step by step, for example a quarrel, or, notably, a war between states possessing weapons of mass destruction. Compare to escalator, a device that lifts something to a higher level. While the… …   Wikipedia

  • Privilege separation — In computer programming and computer security, privilege separation is a technique in which a program is divided into parts which are limited to the specific privileges they require in order to perform a specific task. This is used to mitigate… …   Wikipedia

  • Privilege revocation — is the act of an entity giving up some, or all of, the privileges they possess, or some authority taking those (privileged) rights away. Information theory Honoring the Principle of least privilege at a granularity provided by the base system… …   Wikipedia

  • Principle of least privilege — In information security, computer science, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment… …   Wikipedia

  • Comparison of privilege authorization features — A number of computer operating systems employ security features to help prevent malicious software from gaining sufficient privileges to compromise the computer system. Operating systems lacking such features, such as DOS, Windows implementations …   Wikipedia

  • User Interface Privilege Isolation — (UIPI) is a technology introduced in Windows Vista and Windows Server 2008 to combat code injection exploits. By leveraging Mandatory Integrity Control, it prevents processes with a lower integrity level (IL) from sending messages to higher IL… …   Wikipedia

  • Shatter attack — In computing, a shatter attack is a programming technique employed by hackers on Microsoft Windows operating systems that can be used to bypass security restrictions between processes in a session. A shatter attack takes advantage of a design… …   Wikipedia

  • Computer security compromised by hardware failure — is a branch of computer security applied to hardware. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to remain accessible …   Wikipedia

  • Code injection — is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by an attacker to introduce (or inject ) code into a computer program to change the course of execution. The results of a code injection… …   Wikipedia

  • Systrace — Infobox Software name = Systrace caption = collapsible = author = Niels Provos developer = released = latest release version = 1.6e latest release date = release date|2007|12|18 latest preview version = latest preview date = frequently updated =… …   Wikipedia