Privilege escalation

From Wikipedia, the free encyclopedia

Privilege escalation is the act of exploiting a bug in an software application to gain access to resources which normally would have been protected from an application or user. The result is that the application performs actions with more privileges than intended by the application developer or system administrator.

Contents

[edit] Background

Privilege escalation occurs when an application with high privileges has flawed assumptions about how it will be used.

Privilege escalation occurs in two forms:

Vertical privilege escalation
where a lower privilege user accesses functions or content reserved for higher privilege users (e.g. Internet Banking User A accesses Administrator functions)
Horizontal privilege escalation
where a normal user accesses functions or content reserved for other normal users (e.g. Internet Banking User A accesses the Internet bank account of User B)

[edit] Privilege escalation examples

In some cases a high-privilege application assumes that it will only be provided with input that matches its interface specification, and doesn't validate the input. An attacker may then be able to exploit this assumption so that unauthorized code is run with the application's privileges:

  • Some Windows services are configured to run under the Local System user account. A vulnerability such as a buffer overflow may be used to execute arbitrary code with privilege elevated to Local System. Alternatively, a system service that is impersonating a lesser user can elevate that user's privileges if errors are not handled correctly while the user is being impersonated (e.g. if the user has introduced a malicious error handler)
  • Under certain versions of the Microsoft Windows operating system, the all users screen saver runs under the Local System account - any account that can replace the current screen saver binary in the file system or Registry can therefore elevate privileges.
  • In certain versions of Linux kernel it was possible to write a program that would set its current directory to /etc/cron.d, request that a core dump be performed in case it crashes and then have itself killed by another process. The core dump file would have been placed at the program’s current directory, that is, /etc/cron.d, and cron would have treated it as a text file instructing it to run programs on schedule. Because the contents of the file would be under attacker’s control, the attacker would be able to execute any program with root privileges. [1]
  • Cross Zone Scripting is a type of privilege escalation attack in which a website subverts the security model of web browsers so that it can run malicious code on client computers.

There are also situations where an application can use other high privilege services and has incorrect assumptions about how a client could manipulate its use of these services:

  • An application that can execute Command line or shell commands could have a Shell Injection vulnerability if it uses unvalidated input as part of an executed command. An attacker would then be able to run system commands using the application's privileges.

[edit] Horizontal privilege escalation

Horizontal privilege escalation occurs when an application allows the attacker to gain access to resources which normally would have been protected from an application or user. The result is that the application performs actions with the same but different security context than intended by the application developer or system administrator; this is effectively a limited form of privilege escalation (specifically, the unauthorized assumption of the capability of impersonating other users).

[edit] Examples of horizontal privilege escalation

This problem often occurs in web applications. Consider the following example:

  • User A has access to his/her bank account in an Internet Banking application.
  • User B has access to his/her bank account in the same Internet Banking application.
  • The vulnerability occurs when User A is able to access User B's bank account by performing some sort of malicious activity.

This malicious activity may be possible due to common web application weaknesses or vulnerabilities.

Potential web application vulnerabilities that may lead to this condition include:

[edit] Jailbreaking

A jailbreak is the act or tool used to perform the act of breaking out of a chroot or jail in UNIX-like operating systems or bypassing digital rights management (DRM). In the former case it allows the user to see files outside of the filesystem that the administrator intends to make available to the application or user in question. In the context of DRM, this allows the user to run arbitrarily defined code on DRM-encumbered devices as well as break out of chroot-like restrictions. DRM-encumbered devices such as the iPhone have repeatedly been subject to jailbreaks, allowing the execution of arbitrary code, but have had those jailbreaks disabled by vendor updates.[1][2] It was only in the wake of the popularity of the iPhone and iPod touch that the term jailbreaking became well known in popular culture worldwide.[citation needed]

[edit] See also

[edit] References

  1. ^ Apple's Disagreement With Orange, IPhone Hackers Forbes on the iPhone firmware v1.1.1
  2. ^ Reports: Next iPhone update will break third-party apps, bust unlocks ComputerWorld on v1.1.3