Privilege escalation happens when a malicious user of an account or application gains access to the privileges of another user account in the target system. The attacker can then use the newly gained privileges to steal confidential data, run administrative commands or deploy malware – and potentially do serious damage to your operating system, server applications, organization, and reputation. In this blog post, we will look at typical privilege escalation scenarios and learn how you can protect user accounts in your systems and applications to maintain a good security posture.
How Does Privilege Escalation Work?
Attackers start by exploiting a privilege escalation vulnerability in a target system or application, which lets them override the limitations of the current user account. They can then access the functionality and data of another user (horizontal privilege escalation) or obtain elevated privileges, typically of a system administrator or other power user (vertical privilege escalation). Such privilege escalation is generally just one of the steps performed in preparation for the main attack.
With horizontal privilege escalation, miscreants remain on the same general user privilege level but can access data or functionality of other accounts or processes that should be unavailable to the current account or process. For example, this may mean using a compromised office workstation to gain access to other office users’ data. For web applications, one example of horizontal privilege escalation might be getting access to another user’s profile on a social site or e-commerce platform, or their bank account on an e-banking site.
Potentially more dangerous is vertical privilege escalation (also called privilege elevation), where the attacker starts from a less privileged account and obtains the rights of a more powerful user – typically the administrator or system user on Microsoft Windows, or root on Unix and Linux systems. With these elevated privileges, the attacker can wreak all sorts of havoc in your computer systems and applications: steal access credentials and other sensitive information, download and execute malware, erase data, or execute arbitrary code. Worse still, skilled attackers can use elevated privileges to cover their tracks by deleting access logs and other evidence of their activity. This can potentially leave the victim unaware that an attack took place at all. That way, cybercriminals can covertly steal information or plant malware directly in company systems.
Why Privilege Escalation Is Important
While usually not the main aim of an attacker, privilege escalation is frequently used in preparation for a more specific attack, allowing intruders to deploy a malicious payload or execute malicious code in the targeted system. This means that whenever you detect or suspect privilege escalation, you also need to look for signs of other malicious activity. However, even without evidence of further attacks, any privilege escalation incident is an information security issue in itself, because someone could have gained unauthorized access to personal, confidential or otherwise sensitive data. In many cases, this will have to be reported internally or to the relevant authorities to ensure compliance.
To make matters worse, it can be hard to distinguish between routine and malicious activity to detect privilege escalation incidents. This is especially true for rogue users, who might legitimately perform malicious actions that compromise security. However, if you can quickly detect successful or attempted privilege escalation, you have a good chance of stopping an attack before the intruders can establish a foothold to launch their main attack.
Privilege Escalation on Linux with Dirty COW
One common attack vector is to compromise a web server, which is often accessible from the public Internet. Once attackers have control of the web server, they can exploit known vulnerabilities or misconfigurations to obtain root privileges on the server’s host system. This may allow them to gain access to the file system and any other server processes running in the same system, or even gain a foothold in the local network to launch attacks against other systems. Crucially, web servers are used not just for hosting websites and web applications – many printers, routers, and Internet of Things (IoT) devices routinely run a web server to provide their administrative interface. Once compromised, such a device can be used to launch further attacks within the local network.
The majority of web servers in use today, including many embedded systems, are hosted on some flavor of Linux. Older versions of the Linux kernel (prior to 4.8.3, 4.7.9, or 4.4.26) were vulnerable to a local privilege escalation attack dubbed Dirty COW (Dirty Copy-On-Write), which allowed attackers to make read-only memory mappings writable. This is a local attack, so it must be combined with other techniques to get root access, but it is still extremely dangerous because the only guaranteed protection is to upgrade the Linux kernel – and that’s not always easy or possible, especially with embedded systems. But how exactly does it work?
To start with, the attacker needs to gain access to a regular, unprivileged user account, usually by exploiting a bug or misconfiguration. Once a user shell is available, it’s only a matter of downloading and executing one of many existing exploit scripts for Dirty COW – see this GitHub page for a list. The vulnerability can be exploited for privilege escalation in different ways, depending on the desired effect. One way is to modify the system password file /etc/passwd by replacing the root user with a newly created user, who will then have root privileges.
While Dirty COW was (and still is) possibly the most serious privilege escalation vulnerability ever discovered for Linux, it only affects older and unpatched systems. It also requires access to a local user shell and some way of downloading the exploit script, so you can mitigate its impact by following good security practices listed later in this article.
How to Detect Privilege Escalation on Windows
Microsoft Windows determines ownership of a running process using access tokens. While the access token mechanism itself can be subverted by attackers to manipulate access tokens and assume the process rights of another user, in Windows 10 and Windows Server 2016 you can set an audit event to detect any such changes. When you enable the Audit Token Right Adjusted event, the system will generate 4703 events for assignment and removal of user rights, changes in security token object permissions and other modifications that may signal privilege escalation attempts.
To enable this audit event, open the Group Policy Management Editor and under Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking set the Audit Token Right Adjusted event to Success and Failure. From now on, you will receive a 4703 event every time a token right is modified, resulting in a huge number of legitimate events from system processes. However, you can use your event monitoring software to narrow this down by searching only for 4703 events related to potentially suspicious changes. One common target for attackers is SeDebugPrivilege – a system privilege that grants a user total access to a process for debugging purposes. So if you’re not debugging and you detect a 4703 event for SeDebugPrivilege, you can be pretty certain that something is afoot.
For details of this audit event, see Audit Authorization Policy Change in the official Microsoft documentation. See Security Monitoring Recommendations for useful tips on managing the influx of 4703 events generated when you enable this audit event.
How to Protect Your Systems from Privilege Escalation
Attackers can use many privilege escalation techniques to achieve their goals. But to attempt privilege escalation in the first place, they usually need to gain access to a less privileged user account. This means that regular user accounts are your first line of defense, so use these simple tips to ensure strong access controls:
- Enforce password policies: This is the simplest way to improve security, but also the hardest to apply in practice. Passwords need to be strong enough to be secure, but without inconvenience to the users.
- Create specialized users and groups with minimum necessary privileges and file access: Apply the rule of minimum necessary permissions to mitigate the risk posed by any compromised user accounts. Remember that this applies not just to normal users, but also accounts with higher privileges. While it’s convenient to give administrators godlike administrative privileges for all system resources, it effectively provides attackers with a single point of access to the system or even the whole local network.
Applications provide the easiest entry point for any attack, so it’s vital to keep them secure:
- Avoid common programming errors in your applications: Follow best development practices to avoid common programming errors that are most often targeted by attackers, such as buffer overflows, code injection, and unvalidated user input.
- Secure your databases and sanitize user input: Database systems make especially attractive targets, as many modern web applications and frameworks store all their data in databases – including configuration settings, login credentials, and user data. With just one successful attack, for example by SQL injection, attackers can gain access to all this information, and use it for further attacks.
Not all privilege escalation attacks directly target user accounts – administrator privileges can also be obtained by exploiting application and operating system bugs and configuration flaws. With careful systems management, you can minimize your attack surface:
- Keep your systems and applications patched and updated: Many attacks exploit known bugs, so by keeping everything updated, you are severely limiting the attackers’ options.
- Ensure correct permissions for all files and directories: As with user accounts, follow the rule of minimum necessary permissions – if something doesn’t need to writable, keep it read-only, even if it means a little more work for administrators.
- Close unnecessary ports and remove unused user accounts: Default system configurations often include unnecessary services running on open ports, and each one is a potential vulnerability. You should also remove or rename default and unused user accounts to avoid giving attackers (or rouge former staff) an easy start.
- Remove or tightly restrict all file transfer functionality: Attackers usually need a way to download their exploit scripts and other malicious code, so take a close look at all system tools and utilities that enable file transfers, such as FTP, TFPT, wget, curl and others. Remove the tools you don’t need, and lock down the ones that remain, restricting their use to specific directories, users, and applications.
- Change default credentials on all devices, including routers and printers: Though seemingly obvious, changing the default login credentials is a crucial step that is often overlooked, especially for less obvious systems, such as printers, routers, and IoT devices. No matter how well you secure your operating systems or applications, just one router with a default password of admin or one network printer with an open Telnet port might be enough to provide attackers with a foothold.
Regularly scan your systems and applications for vulnerabilities: Use vulnerability scanners to check your systems and applications for vulnerabilities. Modern scanners are frequently updated, which is vital in today’s fast-paced threat environment. Even if your system or application was secure last month or even last week, new vulnerability reports and exploits are published every day, and your systems and information might well be in danger even as you read these words.