What is privilege escalation?
Privilege escalation means finding a way to access resources belonging to another user on a system. It is one of the primary methods that black-hat hackers use to expand their attacks and gain access to more resources and assets, making it a crucial concept in cybersecurity.
Privilege escalation is especially important for web application security because web vulnerabilities are usually the first vector of a complex cyberattack. Malicious hackers often start by exploiting a web vulnerability to gain basic access to certain resources and then continue with privilege escalation attacks to get more permissions and control.
As a result of privilege escalation, an attacker may be able to gain unauthorized access to sensitive data and perform many malicious activities such as installing malware (e.g. ransomware), introducing malicious code (e.g. a web shell), or even completely hijacking one or many computer systems.
Types of privilege escalation
There are two types of privilege escalation techniques: horizontal privilege escalation and vertical privilege escalation.
- The term horizontal privilege escalation applies to situations when an attacker operates as a specific user and gains access to resources belonging to another user with a similar level of access.
- Vertical privilege escalation is often referred to as privilege elevation. It applies to situations when an attacker obtains higher privileges, most often root privileges (administrative privileges). Privilege elevation is much more common than horizontal privilege escalation because it is more advantageous to the attacker.
Causes of privilege escalation
Privilege escalation may be possible for a number of reasons, including:
- Programming errors: This includes vulnerabilities in web applications but also vulnerabilities in other types of software, such as buffer overflows in server software.
- Misconfigurations: These are especially risky when the principle of least privilege is not followed, and regular users have too many privileges.
- Lack of security hygiene: This includes delayed patches and updates for the operating system and other software. For example, both Microsoft Windows and Linux/UNIX have been known to have code execution vulnerabilities that allowed attackers to gain administrator privileges.
- Weak access control: This category includes weak passwords, default passwords, and a lack of multi-factor authentication.
- Social engineering: Attackers may gain access to accounts by tricking users into revealing their credentials.
Example of privilege escalation
The following is an example of a complex attack that includes privilege escalation.
- An attacker discovers a cross-site scripting vulnerability in www.example.com.
- The attacker creates a targeted phishing email that includes an attack payload concealed in a link to a vulnerable page under www.example.com. The malicious email is sent to a sales representative of Example.com Inc.
- The sales rep clicks the link in the phishing email, unknowingly sending their access token (session cookie) to an attacker-controlled server.
- The attacker uses the hijacked access token to access the company’s sales web application as the sales rep.
- Upon logging into the sales web application as an authenticated user, the attacker is able to access more web pages and finds a remote code execution (RCE) vulnerability in the log4j library used on a page of the sales app that is accessible only after authentication.
- The attacker successfully exploits the RCE vulnerability, gaining access to the file system of the web application’s web server.
- The attacker runs a back-end script opening a reverse shell to their computer, bypassing the firewall restrictions imposed on the web server and effectively creating a backdoor.
- The attacker gains access to the Linux system of the web server and discovers that the Linux version is susceptible to a known kernel exploit to obtain local administrator rights.
- Having root privileges on the web server, the attacker gains full control of the example.com target system.
As you can see, the attacker started by gaining the privileges of a sales representative’s user account with very limited capabilities. However, by continuing with other attacks, the attacker was able to elevate privileges to a higher level, first getting access to a privileged account and eventually gaining complete control of the system.
How to detect privilege escalation?
Detecting privilege escalation while it happens is very difficult because the attacker often performs actions that are indistinguishable from those of a regular user. Intrusion prevention systems (IPS) may be helpful in interactive detection, but many privilege escalation attempts can only be traced back through detailed log analysis later.
In the case of sensitive systems, you could set up alerts for every logon to an administrative account or for every use of sudo or a similar command, but depending on how the system is used, you are likely to get a lot of false positives.
How to prevent privilege escalation?
Since privilege escalation is not a specific type of vulnerability but rather a typical chain of events resulting from several successful exploits, eliminating the underlying security weaknesses is the only effective way to prevent privilege escalation vulnerabilities. However, you must be aware that completely preventing privilege escalation is next to impossible in practice because it would require you to address every single weakness in the IT system.
To prevent privilege escalation:
- Regularly check your systems for web application vulnerabilities. Since web applications are often the first point of entry, regular testing using DAST and SCA software such as Invicti or Acunetix by Invicti reduces the risk that an attacker would be able to begin the attack in the first place.
- Regularly check your systems for network vulnerabilities. While web applications are often the first point of entry, network vulnerabilities are often used as a follow-up. Note that network vulnerabilities are all vulnerabilities in software with networking capabilities, including the web server and the operating system.
- Eliminate all vulnerabilities that are found. Regular scanning and penetration testing are useless if known web vulnerabilities and network vulnerabilities linger in your systems for months. Apply patches as soon as possible and test custom applications during the software development life cycle (shift left) to fix errors before they make it to production apps.
How to mitigate privilege escalation?
To mitigate the impact of privilege escalation, you should harden your systems to make it more difficult for attackers to escalate even if vulnerabilities are not yet fixed. Here are a few approaches that help:
- Follow the principle of least privilege. Create separate user accounts for specific services/applications if possible and give them only the necessary permissions. Create separate admin accounts for different administration tasks if possible. Remove all unused accounts and all unnecessary existing privileges. Restrict access to directories and files as much as possible (ideally leaving it only for the file/directory owner). Use access management mechanisms such as user account control (UAC) to ensure that system administrator access is not abused.
- Don’t give shell and file transfer access to user accounts unless absolutely necessary. If an operating system user has shell access, the attacker can very easily escalate their actions. File transfer functionality allows attackers to upload malicious files, e.g. ransomware. If file transfer functionality must be permitted, control the types of files that may be uploaded to the system, e.g. disallow all executable files and scripts (don’t just look for an exe extension).
- Change default user names and passwords, especially for networked devices such as routers, printers, and all IoT devices. Note that this should include not only administrator accounts or other privileged users but all user accounts.
- Promote good password hygiene. Teach your users how to select good passwords. Promote long passwords. Don’t force users to change passwords too often. Use multi-factor authentication (MFA) wherever possible.
- Teach your users how to recognize social engineering, including phishing. Conduct security exercises by sending fake phishing emails.