Privilege escalation attacks progressively increase their access to computer systems by exploiting its security vulnerabilities. They are classified into horizontal and vertical privilege escalation attacks based on the attack's strategy and objective. Privilege escalation attacks may also have general targets like an entire system or networks, but the attack can also be more focused such as a particular user or application. A variety of specific privilege escalation attacks exist, each of which exploits a different set of vulnerabilities and has its own set of technical requirements. The methods of preventing these privilege escalation attacks include both general and specific practices.
The success of privilege escalation attacks largely stems from the lack of focus on permissions that currently exist in many organizations. As a result, existing security controls are often insufficient to prevent these attacks, which usually begin by gaining access to an employee's account. The next step is for the attacker to grant that account privileges that it isn't supposed to have by bypassing proper authorization channels. These attacks' common goals include accessing sensitive data, disrupting business operations, and creating backdoors to provide the attacker with access later.
Selecting the best response to a privilege escalation attack is critical in minimizing its damage. This choice depends on factors such as the activities that the attacker performed through the user's account. Additional factors to consider include the systems the attacker could access and the attack's impact on business operations.
Types of Privilege Escalation Attacks
An initial attack on a computer system rarely obtains full access to that system. In most cases, a series of actions are needed to achieve the access required to accomplish the attack's intended goal. Horizontal and vertical attacks conduct this process in distinctly different ways.
Horizontal Privilege Escalation
Horizontal privilege escalation involves the attacker gaining access to a user account and increasing the permissions on that account. This type of privilege escalation is typically more challenging, as it generally requires a greater understanding of the system's vulnerabilities and the greater use of hacking tools like Metasploit. Attackers often use phishing campaigns to perform the first step of gaining access to an account.
Several options are available for elevating permissions in horizontal privilege escalation. Exploiting operating system (OS) vulnerabilities is one of the most popular for gaining root-level access for this type of privilege escalation.
Vertical Privilege Escalation
Vertical privilege escalation occurs when attackers gain direct access to an account that already has the privileges needed to accomplish their goal. This type of privilege escalation is easier to perform since it doesn't require any steps beyond this. In this case, the attack focuses on identifying an account with the necessary privileges and obtaining access to that account.
Attackers routinely use phishing emails to obtain direct access to a user's financial account, including accounts from banks and e-commerce sites like Amazon. The email usually claims that the user's account will be deleted for inactivity unless the user clicks on a link in the email and logs in to that account. This link leads to a webpage owned by the hacker that resembles the authentic website as much as possible. If the user logs in to this fake website, the attacker can then harvest the user's login information and take money from the real account.
Real-world Example of Privilege Escalation Attacks
The following list shows five examples of real-world privilege escalation attacks: including:
- Windows sticky keys
- Windows Sysinternals
- Process injection
- Linux Password user enumeration
- Android Metasploit
Windows Sticky Keys
A sticky key attack is one of the most common forms of privilege escalation for Windows OS systems. It's comparatively easy to perform, as it doesn't require a great deal of technical skill. This attack only requires attackers to have physical access to the system they're trying to attack and the ability to boot from a repair disk. Once attackers have booted the system from such a desk, they simply need to change the file that the sticky key function executes after tapping the shift key five times in rapid succession.
This process requires the attacker to copy the file named sethc.exe, which is located in the %systemroot%\system32 directory. The next step is to copy the file named cmd.exe in the same directory to sethc.exe, meaning that the sticky key function will now activate a command shell with system-level access. The attacker should test this change by rebooting and rapidly tapping the shift key five times to ensure that this action brings up a command prompt. From this point, the attacker can easily define a local administrator account and use it to create a system backdoor.
Windows System Internals
Internal system commands provide another common source of privilege escalation in Windows. This technique assumes that the attacker already has a backdoor from a previous attack, such as the Windows sticky keys method. The attacker must also have access to local administrator rights and the psexec command. The attacker then logs into the backdoor account and executes "psexec.exe -s cmd" to escalate the permissions on that account to the system level.
Process Injection
Process injection is a form of privilege escalation that targets weak processes. Process Injector is a commonly used tool for this purpose, as it can identify all the processes currently active on the system and the account running each process. The attacker then selects an account with a high level of permissions and a process under that account to obtain the desired permissions, typically cmd.exe. In Process Injector, the command needed to perform this action is pinjector.exe -p <PID > cmd.exe <port>, PID is the PID of the account the attacker wants to obtain permissions from, and port is the port for the process.
Linux Password User Enumeration
Attackers often use password user enumeration to perform privilege escalation on a Linux system. This basic attack identifies all user accounts on a Linux machine, which requires the attacker first to obtain shell access. Once that step is complete, the command "cat /etc/passwd | cut -d: -f1" will display a list of all the users on the machine. Misconfigured FTP servers are one of the most common vulnerabilities that Linux password user enumeration can exploit.
Android and Metasploit
Metasploit is a well-known hacking tool that includes a library of known exploits for many systems. This library contains privilege escalation attacks against rooted android devices. Once the device is rooted, it creates an executable file known as a superuser (SU) binary that allows the attacker to run commands with root access. The attacker can then run commands like "show advanced" and "show options" as root.
Prevention
Users are almost always the weakest link in a computer's security, as they can easily compromise that system with a single key keystroke. Mitigating this risk requires organizations to implement security training, both for onboarding and a recurring basis. It's also essential to validate the effectiveness of this training and modify it as needed. Many software tools are available to help users learn about privilege escalation attacks. For example, InteProIQ, GoPhish, KnowBe4, and Phishme help train users in identifying phishing schemes.
A rigorous process for managing software is also an essential part of preventing computer attacks like privilege escalation, especially installing security patches as soon as they're available. Additional measures include careful evaluation and monitoring of account modification requests, which you can largely automate with the right software tools. For example, an intrusion detection system (IDS) and intrusion prevention system (IPS) are particularly effective at defeating privilege escalation attempts. Regular code reviews are another method of ensuring that security remains part of software development, often part of the overall vendor management process.
