Chapter 2. Active Directory – Escalation of Privilege
Information in this Chapter
The expression and concept of “escalation of privilege” may not always be as easy to understand or defined as clearly as we may hope; the idea and act of escalating privileges equates to an attacker using his existing access to leverage additional privileges that may not normally be allowed. As it applies to network security and attacks, escalation of privileges can be something as simple as an employee leveraging a flaw in an application to obtain further access for snooping around documents that he does not normally access to. Privilege escalation, however, can be as involved as an attacker using an account with limited access to resources and leveraging implementation flaws to seize an entire network.
One popular privilege escalation exploits against Windows, although dated but still deadly in its day, was the getAdmin attack. This exploit allowed a utility to attach to the WINLOGON process of Windows NT systems and then add a user to the local system. After issuing an initial patch for this flaw, slight modifications were made to the exploit code allowing attackers to once again leverage the flaw and possibly also execute denial of service (DoS) attacks against the system. This flaw had been patched and was only relevant to the NT4 operating system; however, this example certainly indicates the threat of privilege escalation has been around for quite some time and is still effective today. More information about this specific attack and how it was possible can be found at the Microsoft Support site (http://support.microsoft.com/kb/146965).
alt2 Epic Fail
Addressing and patching vulnerabilities quickly and accurately is an important part of a software vendor's responsibility to its customers. Software vendors will often make patches quickly for vulnerabilities available to address a specific instance of a vulnerability; however, deeper investigation into the root cause of the vulnerability is not always performed.
In certain situations, patches that do not fully address the vulnerabilities identified can be deployed. This allows vulnerability researchers and attackers to continue leveraging poorly implemented code and functionality to continue discovering and exploiting similar vulnerabilities.
Proper quality assurance testing should not only address usability and functionality but also involve testing the overall security coding, logic, error handling, and security architecture of the application.
To further understand privilege escalation, we first need to understand the three major categories of “privilege modification.” The three types of privilege modification attacks are vertical escalation, horizontal escalation, and privilege descalation, as shown in Table 2.1. Of these, vertical and horizontal escalations are the two modifications that allow escalation or parallel access, whereas descalation results in the reduction of privileges.
Table 2.1. Types of privilege modification
| Vertical escalation |
| Horizontal escalation |
| Privilege descalation |
Vertical escalation is achieved by moving from one level of authority or access to a higher level of authority or access. This additional access may provide access to resources above and beyond what was originally provided or intended. As an example, if a local user account is created and assigned to the Users group, it would have limited permissions and capabilities associated with the Users group. If an account currently in the Users group, however, was added to the Power Users or Administrators groups, then the account would gain many of the privileges associated with those groups. The move from the Users group to the Power Users or Administrators group is an example of a vertical escalation of privileges.
Horizontal escalation occurs when one account or process gains access to another account with similar access but may not be authorized to operate under the context of the account. To understand this type of escalation, imagine you are browsing the Web and decide to log into your Twitter account to see if you have any cool tweets to read. While you are logged in, you decide to try some cool new tricks you learned by watching YouTube videos on hacking Web applications. After attempting one of the new tricks, you discover you can access the contents and make changes to another user's Twitter account under the context of the user account you gained access to. (No actual Twitter accounts were harmed in the making of this book.) The access gained is equal to the level of access you already had; however, it is under the context of another user's account. Again, your privileges were not escalated to a higher level of administrative control; however, you have access to content you were not intended to have access to legitimately.
Privilege descalation is the concept of reducing access from a higher-level authority to a lower-level authority. Some applications and data access components allow administrators to drop to a lower level of privileges, so they can experience the environment in which a lower-level authority is working. This may be used to temporarily reduce the scope of access for an administrator to troubleshoot user access in applications or for a variety of other situations.
Escalation of Privileges Attack Anatomy
Privilege escalation attacks can be executed in many ways depending on the initial access the attacker has. In many cases, the attacks are performed after valid user credentials are obtained as a result of other successful attacks. Sometimes gaining initial access to a valid user account can be difficult; however, employees do not always use complex passwords to protect their accounts.
alt1 Warning
Although many organizations understand that by permitting employees to use weak passwords, they allow attackers a greater probability of success when targeting an organization, these organizations do not impose password complexity requirements. Unfortunately, for many organizations that do impose complex password requirements, the requirements are not always robust or complex enough to reduce the success of attackers. For more information about Windows passwords and their implementation, please refer to Chapter 1, “Windows Operating System – Password Attacks.” Never underestimate the access or power a regular user account has and what damage can be done using it.
Privilege escalation attacks do not always target user accounts. Obtaining additional privileges can be leveraged by flaws found in poorly designed applications. Organizations such as Common Weakness Enumeration (CWE) and SysAdmin, Audit, Network, Security (SANS) discuss and document various common programming flaws in its “CWE/SANS TOP 25 Most Dangerous Programming Errors” (www.sans.org/top25errors/); however, some privilege escalation attack concepts can be referenced specifically in “CWE-250: Execution with Unnecessary Privileges” of the CWE/SANS report.