Privilege escalation vulnerabilities are used by criminal hackers to infiltrate systems and applications. We tell you what Privilege Escalation is, how it works and how common the techniques are. You will also learn how you can protect yourself and your company against privilege escalation attacks.
Privilege Escalation (German: extension of rights) describes the exploitation of a security vulnerability that grants the (supposed) user more rights than the administrator actually intended. These vulnerabilities are particularly valuable to criminal hackers – not only because they provide direct access to systems and applications, but also because they can be easily overlooked by developers and IT security specialists. In general, any violation of a deliberately established security policy could be described as an extension of rights.
Within the security community, the focus is primarily on those vulnerabilities that can be used to execute code – and especially those that enable remote code execution (REC). While these vulnerabilities remain important, cybercriminals have numerous ways to compromise systems within the modern threat landscape. Phishing e-mails are part of the common tools for penetrating corporate networks – the use of stolen access data is another popular method of criminal hackers to do this.
Because the human factor is difficult to control using technical means, the defense mindset has evolved from threat prevention to threat detection over the past few years. Prevention of attacks remains important, but strategic planning is now based on the assumption that cybercriminals are likely to gain access to the systems in some way. The ability to minimize the effects of unauthorized access is therefore now just as important in the corporate environment as preventing unauthorized access.
Operating system and application developers have gone to great lengths to prevent certain memory corruption gaps from being exploited. Hence the never-ending discussions about things like least privilege principles, zero trust architectures, application sandboxing, virtualization, containerization or microservices.
An RCE vulnerability that is sufficient to fully compromise the underlying system can only be found very rarely in today’s applications. This is also due to the fact that hacker attacks nowadays require “exploit chains” that combine different vulnerabilities. This is why privilege escalation attacks are essential to attack modern applications and systems – and cybercriminals are only too willing to invest a lot of money in these vulnerabilities.
In the case of operating systems, the target area for privilege escalation is relatively wide: many services, drivers and other technologies are equipped with extensive access rights, which, for example, allow applications to be compromised via APIs. If access to these options is not properly monitored or restricted, cybercriminals can use it for their purposes.
Researchers at security provider CyberArk recently found a privilege escalation vulnerability in the Windows Group Policy – a primary Windows control mechanism. The vulnerability affected all versions of Windows (as of Windows Server 2008) and was the result of an insufficient access check in the policy update routine. The same company had previously identified more than 60 other privilege escalation weaknesses in the products of well-known suppliers as part of a multi-year research project.
Many issues related to rights escalation are not bugs, but fall into the category of logic or design errors. Vulnerabilities in the code itself can be prevented by adopting secure development methods – logic errors, on the other hand, are due to a lack of awareness of security requirements and functionalities and are difficult to correct afterwards. A so-called “shift left mentality” is needed here: IT security must play a key role in the early phase of development.
According to the latest ENISA vulnerability report, security gaps related to access rights are the sixth most common vulnerability source. Microsoft’s monthly security bulletins also regularly come with patches that are intended to patch privilege escalation vulnerabilities in services and system drivers – and third-party drivers also suffer from a similar problem: security provider Eclypsium found corresponding security holes in 40 Windows drivers from 20 different hardware manufacturers. Just recently, the experts also discovered a driver vulnerability in the Diebold Nixdorf devices. The company’s hardware is primarily used in ATMs and POS systems. A fact that underlines how high the risk is in the case of embedded devices that have been used for many years but are difficult to update. Extending rights is anything but a Windows-exclusive problem: Both the Linux kernel and various Linux utilities have exposed serious privilege escalation vulnerabilities over the years.
Another target for privilege escalation is DLL hijacking or preloading. Applications try to load dynamic link libraries (DLLs) without specifying a full path. In such a case, Windows searches predefined locations in a specific order for the relevant DLLs. If an attacker can inject a defective DLL with the correct name in the right place, the application loads it. Microsoft is now offering comprehensive guidelines for developers to work around this problem, but DLL hijacking remains a common attack method used by cybercriminals.
A privilege escalation attack can take place on a local or remote level – depending on the type of access available to the attacker. The attacks can be on
In general, a lot of attention is paid to extending rights at the operating system level, but privilege escalation attacks also undermine access controls that allow attackers to move laterally through networks and gain domain access. Incorrect configurations of cloud infrastructure components, which result in applications or virtualized servers being granted higher privileges than necessary, are often exploited.
Within an Active Directory network, every user can make a request in the form of a service ticket for every resource within a domain – even if they do not have the necessary access rights. The tickets are linked to the password of the corresponding user account – so technically they cannot be used directly by unauthorized users. However, they can be cracked offline using brute force techniques – this also eliminates the risk that the account will be blocked if data is entered incorrectly again and again.
At the cloud level, the most common key to a successful privilege escalation attack is in insufficiently defined IAM roles. With automated assignment of cloud servers in particular, it can happen that the login data for the person who set up the cloud instance can be queried by unauthorized users. In practice, this means that, depending on the structure of the IAM rights, an attacker could possibly gain access to a company’s entire cloud infrastructure via a simple web application vulnerability.
Privilege escalation techniques can also be broken down as follows:
Vertical extension of rights: Here, an attacker sneaks into an existing account with higher user privileges than he is actuall
y entitled to.
Horizontal extension of rights: This is when an attacker gains the rights of another user from the same user group, whose resources are particularly protected, for example.
Privilege escalation at the operating system level can be prevented by conscientious patching. Not only the operating system itself, but also all third-party software running on the system should be kept up to date. Application whitelisting can be used to exclude certain applications from use – this is how companies reduce the attack surface. Switching off unused services, drivers or hardware components is also extremely important in this context.
The security provider CyberArk provides a whole range of open-source tools with which, for example, DLL hijacking, shadow admins or insecure Kubernetes rights assignments can be found. Various other tools on the market can also test cloud deployments for unsafe configuration.
Companies that have aligned their networks and cloud infrastructure in accordance with the least privilege principle should also regularly involve external security specialists to test their defense instruments against privilege escalation attacks as part of a penetration test. (fm)
This article is based on an article from our US sister publication CSO Online.