Escalating privileges
The following are the best countermeasures to defend against privilege escalation:
Restrict the interactive logon privileges Use encryption technique to protect sensitive data Run users and applications on the least privileges Reduce the amount of code that runs with particular privilege Implement multi-factor authentication and authorization Perform debugging using bounds checkers and stress tests Run services as unprivileged accounts Test operating system and application coding errors and bugs thoroughly Implement a privilege separation methodology to limit the scope of programming errors and bugs Patch and update the kernel regularly Change UAC settings to "Always Notify", so that it increases the visibility of the user when UAC elevation is requested Restrict users from writing files to the search paths for applications Continuously monitor file system permissions using auditing tools Reduce the privileges of user accounts and groups so that only legitimate administrators can make service changes Use whitelisting tools to identify and block malicious software that changes file, directory, and service permissions Use fully qualified paths in all the Windows applications Ensure that all executables are placed in write-protected directories In MAC operating systems, prevent plist files from being altered by users making them read-only Block unwanted system utilities or software that may be used to schedule tasks Patch and update the web servers regularly Disable the default local administrator account.
Web Shell
A Web shell is a web-based script that allows access to a web server. Web shells can be created in all the operating systems like Windows, Linux, MacOS and OS X. Attackers create web shells to inject malicious script on a web server to maintain persistent access and escalate privileges. Attackers use a web shell as a backdoor to gain access and control a remote server. Generally, a web shell runs under current user's privileges. Using a web shell an attacker can perform privilege escalation by exploiting local system vulnerabilities. After escalating the privileges, an attacker can install malicious software, change user permissions, add or remove users, steal credentials, read emails, etc.
Privilege Escalation by Exploiting Vulnerabilities
A vulnerability is an existence of a weakness, design, or implementation error that can lead to an unexpected event compromising the security of the system. An attacker takes advantage of these vulnerabilities to perform various attacks on confidentiality, availability, or integrity of a system. The software designing flaws and programming errors lead to security vulnerabilities. Attackers exploit these software vulnerabilities such as programming flaws in a program, service or within the operating system software or kernel to execute malicious code. Exploiting software vulnerabilities allows attackers to execute a command or binary on a target machine to gain higher privileges than the existing ones or bypass security mechanisms. Attackers using these exploits can even access privileged user accounts and credentials. Many public vulnerability repositories are available online that allow access to information about various software vulnerabilities. Attackers search for an exploit based on the OS and software application on exploit sites such as SecurityFocus (http://www.securityfocus.com), Exploit Database (https://www.exploit-db.com)and use that exploit to gain higher privileges.
Launch Daemon
At the time of MacOS and OS X booting process, launchd is executed to complete the system initialization process. Parameters for each launch-on-demand system-level daemon found in /System/Library/LaunchDaemons and /Library/LaunchDaemons are loaded using launchd. These daemons have property list files (plist) that are linked to executables that run at the time of booting. Attackers can create and install a new launch daemon, which can be configured to execute at boot-up time using launchd or launchctlto load plist into concerned directories. The weak configurations allow an attacker to alter the existing launch daemon's executable to maintain persistence or to escalate privileges.
Setuid and Setgid
In Linux and MacOS, if an application uses setuid or setgid then the application will execute with the privileges of the owning user or group respectively. Generally, the applications run under the current user's privileges. There are certain circumstances where the programs must be executed with elevated privileges but the user running the program does not need the elevated privileges. In this scenario, one can set the setuid or setgid flags for their applications. An attacker can exploit the applications with the setuid or setgid flags to execute malicious code with elevated privileges.
Plist Modification
In MacOS and OS X plist (property list) files include all the necessary information that is needed to configure applications and services. These files describe when programs should execute, executable file path, program parameters, essential OS permissions, etc. The plist files are stored at specific locations like /Library/Preferences (which execute with high-level privileges) and ~/Library/Preferences (which execute with user privileges). Attackers can access and alter these plist files to execute malicious code on behalf of a legitimate user and further use them as a persistence mechanism and escalate privileges.
Access Token Manipulation
In Windows operating system, access tokens are used to determine the security context of a process or thread. These tokens include the access profile (identity and privileges) of a user associated with a process. After a user is authenticated, the system produces an access token. Every process the user executes makes use of this access token. The system verifies this access token when a process is accessing a secured object. Any Windows user can modify these access tokens so that the process seems to belong to some other user than the user who started this process. Then the process acquires the security context of the new token. For example, Windows Administrators have to log on as a normal user and need to run their tools with admin privileges using token manipulation command "runas". Attackers can take advantage of this to access tokens of other users or generate spoofed tokens to escalate privileges and perform malicious activities by evading detection.
File System Permissions Weakness
Many processes in Windows operating system execute binaries automatically as part of their functionality or to perform certain actions. If the file system permissions of these binaries are not set properly then the target binary file may be replaced with a malicious file and it can be executed by the actual process. If the process that is executing this binary is having higher level permissions then the binary also executes under higher level permissions, which may include SYSTEM. Attackers can take advantage of this technique to replace original binaries with malicious binaries to escalate privileges. Attackers use this technique to manipulate Windows service binaries and self-extracting installers.
Meltdown Vulnerability
Meltdown vulnerability is found in all the Intel processors and ARM processors deployed by Apple. This vulnerability leads to tricking a process to access out of bounds memory by exploiting CPU optimization mechanisms such as speculative execution. For example, an attacker requests to access an illegal memory location. He/she sends a second request to conditionally read a valid memory location. In this case, the processor using speculative execution will complete evaluating the result for both requests before checking the first request. When the processor checks that the first request is invalid, it rejects both the requests after checking privileges. Even though the processor rejects both the requests,. the result of both the requests remain in the cache memory. Now the attacker sends multiple valid requests to access out of bounds` memory locations. Attackers may use this vulnerability to escalate privileges by forcing an unprivileged process to read other adjacent memory locations such as kernel memory and physical memory. This leads to revealing of critical system information such as credentials, private keys, etc.
Privilege Escalation Using DLL Hijacking
Most Windows applications do not use the fully qualified path when loading an external DLL library; instead, they first search the directory from which they have been loaded. Taking this as an advantage, if attackers can place a malicious DLL in the application directory, the application will execute the malicious DLL in place of the real DLL. For example, if an application program ".exe" needs library.dll (usually in the Windows system directory) to install the application, and fails to specify the library.dll path, Windows will search for the DLL in the directory from which the application was launched. If an attacker has already placed the DLL in the same directory as program.exe, then that malicious DLL will load instead of the real DLL, which allows the attacker to gain remote access to the target system
Privilege Escalation Using Dylib Hijacking
OS X similar to windows is vulnerable to dynamic library attacks. OS X provides several legitimate methods such as setting the DYLD_INSERT_LIBRARIES environment variable, which are user specific. These methods force the loader to load malicious libraries automatically into a target running process. OS X allows loading of weak dylibs (dynamic library) dynamically, which allows an attacker to place a malicious dylib in the specified location. In many cases, the loader searches for dynamic libraries in multiple paths. This helps an attacker to inject a malicious dylib in one of the primary directories and simply load the malicious dylib at runtime. Attackers can take advantage of such methods to perform various malicious activities such as stealthy persistence, run-time process injection, bypassing security software, bypassing Gatekeeper, etc.
Path Interception
Path Interception is a method of placing an executable in a particular path in such a way that it will be executed by the application in place of the legitimate target. Attackers can take advantage of several flaws or misconfigurations to perform path interception like unquoted paths (service paths and shortcut paths), path environment variable misconfiguration, and search order hijacking. Path interception helps an attacker to maintain persistence on a system and escalate privileges.).
Types of Privilege Escalation
Privilege escalation is required when you want to access system resources that you are not authorized to access. Privilege escalation takes place in two forms. They are vertical privilege escalation and horizontal privilege escalation. Horizontal Privilege Escalation: In a horizontal privilege escalation, the unauthorized user tries to access the resources, functions, and other privileges that belong to the authorized user who has similar access permissions. For instance, online banking user A can easily access user B's bank account. Vertical Privilege Escalation: In a vertical privilege escalation, the unauthorized user tries to gain access to the resources and functions of the user with higher privileges, such as application or site administrators. For example, someone performing online banking can access the site using administrative functions.
Spectre Vulnerability
Spectre vulnerability is found in many modern processors such as Apple, AMD, ARM, Intel, Samsung and Qualcomm processors. This vulnerability leads to tricking a processor to exploit speculative execution to read restricted data. The modern processors implement speculative execution to predict the future to complete the execution faster. For example, if the chip identifies that a program includes multiple conditional statements, it will start executing and concluding all the possible outputs before the program does. Attackers may exploit this vulnerability in different ways: o The processor is forced to accomplish a speculative execution of a read before bounds checking is performed. As a result, an attacker can access and read out of bound memory locations. o When executing conditional statements, for faster processing the processors use branch prediction to pick a path to speculatively execute. Attackers may exploit this feature to force processor to take an improper speculative decision and further access data out of range. Attackers may use this vulnerability to read adjacent memory locations of a process and access information for which he/she is not authorized. This vulnerability helps attackers to extract confidential information such as credentials stored in the browser, from that target process. In certain cases, using this vulnerability an attacker can even read the kernel memory or perform a web based attack using JavaScript.
Scheduled Task
The Windows operating system includes utilities such as 'at' and 'schtasks'. A user with administrator privileges can use these utilities in conjunction with the Task Scheduler to schedule programs or scripts that can be executed at a particular date and time. If a user provides proper authentication, he can also schedule a task from a remote system using RPC. An attacker can use this technique to execute malicious programs at system startup, maintain persistence, perform remote execution, escalate privileges, etc.
Application Shimming
The Windows operating systems uses Windows Application Compatibility Framework called Shim to provide compatibility between the older and newer versions of Windows. For example, Application shimming allows programs created for Windows XP compatible with Windows 10. Shims provide buffer between the program and the operating system. This buffer is referenced when a program is executed to verify whether the program requires access to the shim database. When a program needs to communicate with the operating system, the shim database uses API hooking to redirect the code. All the shims installed by default Windows installer (sbinst.exe) are stored at %WINDIR%\AppPatch\sysmain.sdb hklm\software\microsoft\windows nt\currentversion\appcompatflags\installedsdb Shims run in user mode and they cannot modify the kernel. Some of these shims can be used to bypass UAC (RedirectEXE), inject malicious DLLs (InjectDLL), capture memory addresses (GetProcAddress) etc. An attacker can use these shims to perform different attacks such as disabling Windows defender, privilege escalation, installing backdoors, etc..