Privilege escalation is the exploitation of a computer bug or a design or configuration error in software with the aim of giving a user or application access to resources that cannot be used with limited rights. Most computer systems are designed as multi-user systems that include a concept for managing access rights. Privilege escalation means that a user is given rights that he or she does not normally have. These permissions can be used to delete files, retrieve and modify other users’ private information. It is also possible to install unwanted programs. Privilege escalation occurs when there are bugs in the system in question that allow the security concept to be bypassed.
There are two variants:
- Vertical privilege escalation: Elevation of access rights by a user or application with the aim of being able to use resources that are actually reserved for more privileged users, usually from other user groups. Example: Installation of driver software by a user who has gained administrative rights.
- Horizontal privilege escalation: A normal user accesses features or content reserved for other normal users. For example, User A and User B belong to the same user group, but User B also has the right to access the network. By escalating rights horizontally, User A also obtains this right.
Vertical Privilege Escalation
This type of privilege escalation occurs when the user or the application process is able to gain administrator or even system privileges, possibly even through kernel operations.
---
Often, highly privileged processes require that entered data comply with the interface specification and do not check it. An attacker may then be able to exploit this requirement in such a way that unauthorized code is executed by the highly privileged application.
Some Windows system services are configured to run in the context of the system user account. A vulnerability, such as a buffer overflow, could be exploited to execute arbitrary code in the context of the system user account.
For older versions of the Microsoft Windows operating system, the screensaver runs in the context of the system user account. Any account that was able to replace the screensaver application with its own application gained system privileges as a result.
In some versions of the Linux kernel, it was possible to obtain root privileges through null pointer dereference. The cause was a mutex in the kernel that was released too early.
Certain versions of the Linux kernel made it possible to write a program that could create a child process and set its current directory to it. This child process has been flagged to create a memory dump in the event of a crash. Subsequently, the child trial was artificially terminated. The dump was stored in the currently set directory, i.e. in /root/home, and the root account was entered as the owner. Cron now executed the file automatically.
Because the contents of the file were defined by the attacker in the original program, this allowed the attacker to execute arbitrary code with root privileges.
Cross-zone scripting is a variant of attack in which a website subverts the security model of web browsers in order to execute code on the client computer with higher privileges.
Another variant of privilege escalation is called jailbreaking. This refers to unlocking or bypassing mostly DRM-protected systems, for example to run unshared apps on the iPhone or to use homebrew computer programs on game consoles. These systems usually work on the basis of a sandbox, from which privilege escalation is used.
Horizontal Privilege Escalation
Horizontal privilege escalation occurs when the attacker manages to gain access to resources that are reserved for another user, who is not highly privileged himself. As a result, the application or user performs actions in a different security context than originally intended by the application developer or system administrator. This problem is common in web applications. Example:
User A has access to their account in an Internet banking application.
User B has access to his account in the same internet banking application.
The vulnerability occurs when User A is able to access User B’s account through malicious activity.
This malicious activity can be made possible by weaknesses or gaps in the shared web application.
