[BreachExchange] Privilege escalation explained: Why these flaws are so valuable to hackers

[Destry Winant]

https://www.csoonline.com/article/3564726/privilege-escalation-explained-why-these-flaws-are-so-valuable-to-hackers.html#tk.rss_news

Privilege escalation definition

Privilege escalation vulnerabilities are security issues that allow
users to gain more permissions and a higher level of access to systems
or applications than their administrators intended. These types of
flaws are valuable for attackers because they're needed for full
exploit chains but can be overlooked by defenders or developers
because of their lower severity scores.


In general, any violation of an intentional security boundary can be
considered a privilege escalation issue, including gaining kernel
access from a user application in an operating system, escaping a
virtual machine to access the underlying hypervisor, gaining domain
administrator access from a workstation, or gaining privileged roles
in public clouds by exploiting misconfigurations.

Why privilege escalation flaws are dangerous

In the security community, a lot of attention is put on
vulnerabilities that can result in arbitrary code execution,
especially those that can be exploited remotely -- remote code
execution (RCE). These flaws tend to have the highest severity scores,
but part of the reason for this is historical, with defenders
traditionally focusing on preventing hackers from gaining access to
their systems in the first place.

While this continues to be important, in the modern threat landscape
hackers can gain access to a system in a variety of ways, not just by
exploiting RCE flaws. Phishing emails with malicious attachments
remain one of the most common ways attackers break into networks while
taking advantage of weak or stolen credentials is another popular
method.


Because of the human behavior element, which is hard to control
through technical means, the defense mindset has shifted in recent
years from threat prevention to threat detection and containment.
Prevention is still important, but security planning is now built on
the premise that attackers will likely gain access to a system in one
way or another. The ability to limit the impact of unauthorized access
is therefore seen as vital to enterprise security as is preventing
unauthorized access.

Operating system and application developers have made great strides to
both prevent the exploitation of certain types of memory corruption
flaws and contain the damage if it happens. This is why there's been
so much talk over the past decade about least-privilege principles,
zero-trust network architectures, application sandboxing, kernel
memory space isolation, virtualization and containerization, splitting
up monolithic applications into microservices and other such
techniques.

It's rare these days to find an RCE vulnerability in an application
that, just by itself, could lead to a complete compromise of the
underlying system. Modern attacks require exploit chains that combine
different vulnerabilities — for example, a memory safety bug to
achieve arbitrary code execution, an information leak to bypass memory
randomization defenses like ASLR, and a privilege escalation issue to
gain full system access. Privilege escalation flaws are therefore
critical to attacking modern applications and operating systems and
hackers are willing to pay a lot of money for them.

Exploit acquisition platform Zerodium is offering $10,000 for an
antivirus local privilege escalation, $80,000 for a privilege
escalation in Windows and $200,000 for a VMware virtual machine
escape. More importantly, many of the application-specific exploit
chains the company buys, such as those targeting browsers and mobile
operating systems where processes are sandboxed, always require a
remote code execution combined with a privilege escalation. A Chrome
RCE + LPE chain costs up to $500,000 and a WhatsApp RCE+LPE chain
costs $1.5 million.

How common are privilege escalation vulnerabilities?

The attack surface for privilege escalation vulnerabilities is large
when it comes to operating systems. There are many OS services,
drivers and other technologies that run with system privileges and
expose functionality to userspace applications through APIs. If access
to those capabilities is not properly controlled and restricted,
attackers can leverage them to perform privileged tasks.

Researchers from security firm CyberArk recently found a privilege
escalation vulnerability in Windows Group Policy, the primary
mechanism for centrally managing the settings of Windows computers and
users in Active Directory environments. The flaw affected all Windows
versions starting with Windows Server 2008 (which was released 12
years ago) and was the result of an improper access check in the
policy update routine. Previously, the company found over 60 privilege
escalation flaws across products from major vendors as part of a
year-long research project.

Many privilege escalation issues fall in the category of logic or
design flaws rather than code bugs, but while code vulnerabilities can
be prevented by developers adopting secure programming practices,
logic flaws are the result of failing to consider the security
implications of legitimate features or functionality. This behavior is
much harder to correct and requires a shift-left mentality — bringing
security early into the design stage of development.

According to the latest report on the state of vulnerabilities
released by the European Union Agency for Cybersecurity (ENISA),
weaknesses related to permissions, privileges and access controls were
the sixth most common source of vulnerabilities and the fourth in
terms of severity score. In terms of popularity of attacker techniques
based on MITRE's ATT&CK framework, privilege escalation was the third
most common one after persistence and defense evasion.

Microsoft's monthly security bulletins frequently include patches for
privilege escalation flaws found in services and system drivers, but
third-party drivers created by hardware component manufacturers are
plagued by similar issues.

Last year, researchers from security firm Eclypsium found
vulnerabilities and design flaws in 40 Windows drivers from over 20
different hardware vendors. More recently, the researchers disclosed a
vulnerability in a driver commonly used in ATMs and point-of-sale
devices from financial device manufacturer Diebold Nixdorf,
highlighting the risk of such flaws to embedded devices that have a
long shelf life and are hard to update. The Linux kernel and other
Linux utilities have been plagued by high severity privilege
escalation vulnerabilities over the years, too, so this is not just a
Windows ecosystem problem.

"Most of the time they're architectural vulnerabilities and not
implementation ones," Jesse Michael, principal researcher at Eclypsium
tells CSO. "But because developers didn't understand how the
architecture itself or the design can be misused, they built something
that's fundamentally insecure. The resulting code doesn't technically
have a vulnerability and just does what they intended it to do, but it
does it for everybody, not just their specific application."

Another large attack surface for privilege escalation is DLL hijacking
or DLL preloading. This refers to applications attempting to load
dynamic link libraries (DLLs) without specifying a fully qualified
path. In those cases, Windows automatically searches for those DLLs in
various predefined locations in a particular order, so if attackers
manage to place a malicious DLL with the correct name in a location
that's earlier in the search path than the legitimate DLL, the
applications will load the malicious one instead. If those
applications, or services, happen to run with elevated privileges, the
malicious code will inherit their permissions.

In many cases the loading of DLLs is conditional, for example "search
for this DLL and load it if it exists to extend the application's
functionality," which is common for application plug-ins and external
modules. In many cases, the searched-for DLLs might not exist by
default and attackers can place a malicious one anywhere in the search
path where they have access. Microsoft provides guidance for
developers on how to avoid some of these pitfalls, but DLL hijacking
attacks remain prevalent.

"There are thousands of them that we see every day," Shay Nahari, head
of Red Team Services at CyberArk, tells CSO. "Microsoft does provide a
solution, but it's very hard to specify the location every time you
load a library. Even if you do it the right way, there are still
things beyond your control. It's just the fundamental way in which
Windows programs operate, so DLL hijacking is definitely still valid
and it's probably the biggest source of privilege escalation in
Windows that we see today."

Types of privilege escalation

Like arbitrary code execution, privilege escalation issues can be
local or remote, depending on the type of access available to the
attacker. However, they can occur at the application level, where an
attacker gains administrative access to an application from a
lower-privileged user; at the OS level, when the attacker gains kernel
or system-level access from a restricted user account; at the domain
level, when the attacker manages to gain domain administrator in a
Windows Active Directory network; and even across network boundaries,
from a local network to the cloud.

OS-level privilege escalation often receives the biggest attention,
but access control issues that allow attackers to move laterally
through networks and gain domain access are also often exploited in
attacks. Similarly, cloud infrastructure misconfigurations where
applications or virtualized servers run with more privileges than they
require are common. "At the domain level the biggest privilege
escalation vector that we have seen and exploited to gain domain admin
without hours almost every single time, are service accounts," Nahari
says.

In an Active Directory network any user can request a service ticket
for any resource in the domain, even if they don't have privileges to
access it. The service tickets are encrypted with the password of the
user or service account, so technically they can't be used directly by
unauthorized users. However, they can be cracked offline with
brute-force techniques without risking the account being blocked.

"When you look at big organizations, you're probably going to have
hundreds of such service accounts available and any user can request
service tickets for all those accounts and then try to crack them
offline," Nahari says. "I guarantee you will successfully be able to
crack at least one or two, which means you'll probably gain domain
admin in a matter of minutes. This is not a new attack, but it's
extremely efficient and very common in almost any organizations we're
testing today."

At the cloud level, the most common causes for privilege escalation is
the use of overly permissive identity and access management (IAM)
roles. Any user of a box provisioned in the cloud, regardless of cloud
provider, can request a metadata URL that will contain the credentials
of the IAM role that provisioned that box. According to Nahari, this
is by design, and eight out of ten times the IAM role that was used to
provision a server will be powerful and potentially even provide
access to the organization's entire cloud infrastructure. These issues
are often the result of automated provisioning of cloud servers where
administrators took the easiest approach, despite warning from cloud
providers on the proper use of IAM roles.

What this means in practice is that a simple web application
vulnerability that allows an attacker to perform requests from inside
the local machine can potentially become a full compromise of the
entire cloud infrastructure because of improper use of IAM roles,
Nahari says.

Privilege escalation issues can also be catalogued as vertical or
horizontal. Vertical privilege escalation is when the attacker manages
to gain more privileges than those of the account they already have
access to, like gaining access to a more privileged account such as an
administrator. Horizontal privilege escalation is when the attacker
manages to gain access to the resources of a different user that has
the same privileges as their own account, but whose resources are
supposed to be protected from other users.

How to defend against privilege escalation

When it comes to OS-level privilege escalation vulnerabilities, it's
vital to install security patches as soon as possible, not only for
the OS, but for all third-party applications used on the system.

Application whitelisting technologies can be used to restrict which
programs may run on a system, enabling organizations to reduce a
machine's attack surface. Making sure that unneeded services are
turned off and that unused hardware components and drivers are
disabled is also very important.

According to Nahari, organizations should focus their monitoring on
privileged access because their security model should assume that code
is already running without authorization on at least one machine in
their networks, regardless of how that might have happened. "It's hard
to monitor every time a user runs something on any device, but it's
relatively easier to monitor what is using privileged access in your
domain," he says. "So, I think this is a good opportunity for
organizations to kind of narrow down their detection and prevention."