The definitive guide to privilege escalation

Published: 28 January 2021
privilege escalation

An error in the design, a flaw in the configuration, or a bug – these are a few common flaws that are inevitable and can be easily corrected. But what about the time before they are corrected? These glitches in the system provide the loophole to gain access and assume a role from which they can ensure the accessibility to secure data. This technique is called privilege escalation and we are going to provide a guide on how this works and how you can prevent it.

Understanding Privilege Escalation

One can define privilege escalation as, “A technique to impersonate the role of a user in an organization and exploit this privilege to gain unauthorized access to secure data or hijack the network of systems in the organization.” This is the first step in any type of hacking method and not usually achieved on the first try. A few more attempts will lead the attackers to the access level they want.

There are two types of privilege escalation:

  • Horizontal privilege escalation
  • Vertical privilege escalation

Horizontal Privilege Escalation 

In this method, the attacker after getting a role assumes the role of a user who has similar privileges but a higher level of access. This is difficult to pull off from the attacker’s side because he has to both gain access and elevate his permissions.

Vertical Privilege Escalation 

This method is also known as privilege elevation. Here, the attacker assumes the role that he is granted at first(lower level). Then he slowly grants himself higher privileges, typically a system administrator.

Privilege escalation attacks are not usually performed to attack a system. It is also used during penetration testing. So, it is always a good precautionary method to check for other malicious activity in the system whenever a privilege escalation attack is identified.

Privilege Escalation Techniques in Windows

The privilege escalation attacks differ based on the various OS. So, here are some of the attack techniques employed in Windows.

Access Token Manipulation

Windows assign access tokens for each process to identify the owner of that particular process. When a process is run, the system checks the owner and verifies if he has the permissions to run the particular process. So, this technique involves the attacker to make the system believe that the person running the process is another user who has the permission to run that process.

So how does one manipulate these tokens? Below are a few of the techniques to implement this:

  • Duplicating a token
  • Creating a new process with the stolen token

Avoid User Account Control

Windows has a mechanism to distinguish between the admin and non-admin users. This is called User Account Control(UAC). Generally, when a user logs into a system, they have the privileges of a non-admin user. But, if the UAC security is not high enough, then the attacker can escalate their privileges and attack the system.

DLL Misuse

DLL files are commonly found files that help in the execution of a program. If a harmful DLL is sent in the place of the original file, the system can mistake it for the original one and execute it. The techniques by which a DLL file can be misused is:

  • Replacing or modifying the existing DLL file
  • DLL search order hijacking  – Ensure that the malicious file is found before the original file
  • Use the original file to cover for the malicious file

Privilege Escalation Techniques in Linux

Linux uses two methods to escalate the privileges

Exploiting the Kernel

The Linux kernel may have some vulnerabilities at certain times. These vulnerabilities can be used to access the root account. Then an exploit code is used to attack the system.

Exploiting the SUDO Rights

The SUDO command allows the user to execute programs by changing into another account. This can be exploited to access the system, which gives the root privileges

How to Protect our System from Privilege Escalation Attacks

Once we detect any privilege escalation attacks on our system, we should isolate them and gradually work towards the aspects that are affected. In case of a system being compromised, the account could be disabled and the password changed. But it’s always a best practice to take the necessary precautions to safeguard our system before the attack occurs. Here are a few steps through which we can mitigate the attacks.

  • Install security patches for both the OS and third-party applications and update software regularly.
  • Keep a check on the remote codes that are executed in the system.
  • Unused hardware components, drivers, and services should be disabled, because, it’s human nature to neglect these.
  • Change passwords regularly and ensure that only strong passwords are used.
  • Use vulnerability scanners to check the system for any. Even if it cannot find all such vulnerabilities, it can help to a certain extent.
  • While creating users, restrict the privileges to what is strictly needed. Similarly, all the files should be given access right based on what is needed.
  • Continuously scan the program for any errors or bugs.

According to a report from the European Union Agency for Cybersecurity (ENISA), privilege escalation attacks rank fourth in terms of severity of the damage. Hopefully, this blog helped to get a clear understanding of privilege escalation and how to prevent such attacks.