Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an

operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...

software application Software is a set of computer programs and associated documentation and data. This is in contrast to hardware, from which the system is built and which actually performs the work. At the lowest programming level, executable code consists ...

to gain elevated access to

resources Resource refers to all the materials available in our environment which are technologically accessible, economically feasible and culturally sustainable and help us to satisfy our needs and wants. Resources can broadly be classified upon their a ...

that are normally protected from an application or

user Ancient Egyptian roles * User (ancient Egyptian official), an ancient Egyptian nomarch (governor) of the Eighth Dynasty * Useramen, an ancient Egyptian vizier also called "User" Other uses * User (computing), a person (or software) using an ...

. The result is that an application with more privileges than intended by the

application developer A computer programmer, sometimes referred to as a software developer, a software engineer, a programmer or a coder, is a person who creates computer programs — often for larger computer software. A programmer is someone who writes/creates ...

system administrator A system administrator, or sysadmin, or admin is a person who is responsible for the upkeep, configuration, and reliable operation of computer systems, especially multi-user computers, such as servers. The system administrator seeks to ensu ...

can perform

unauthorized Authorization or authorisation (see spelling differences) is the function of specifying access rights/privileges to resources, which is related to general information security and computer security, and to access control in particular. More fo ...

actions.

Background

Most computer systems are designed for use with multiple user accounts, each of which has abilities known as privileges. Common privileges include viewing and editing files or modifying system files. Privilege escalation means users receive privileges they are not entitled to. These privileges can be used to delete files, view private information, or install unwanted programs such as viruses. It usually occurs when a system has a bug that allows security to be bypassed or, alternatively, has flawed design assumptions about how it will be used. Privilege escalation occurs in two forms: * Vertical privilege escalation, also known as ''privilege elevation'', where a lower privilege user or application accesses functions or content reserved for higher privilege users or applications (e.g. Internet Banking users can access site administrative functions or the password for a smartphone can be bypassed.) * Horizontal privilege escalation, where a normal user accesses functions or content reserved for other normal users (e.g. Internet Banking User A accesses the Internet bank account of User B)

Vertical

This type of privilege escalation occurs when the user or process is able to obtain a higher level of access than an administrator or system developer intended, possibly by performing kernel-level operations.

Examples

In some cases, a high-privilege application assumes that it would only be provided with input matching its interface specification, thus doesn't validate this input. Then, an attacker may be able to exploit this assumption, in order to run unauthorized code with the application's privileges: *Some

Windows service In Windows NT operating systems, a Windows service is a computer program that operates in the background. It is similar in concept to a Unix daemon. A Windows service must conform to the interface rules and protocols of the Service Control Manager ...

s are configured to run under the Local System user account. A vulnerability such as a

buffer overflow In information security and programming, a buffer overflow, or buffer overrun, is an anomaly whereby a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations. Buffers are areas of memory ...

may be used to execute arbitrary code with privilege elevated to Local System. Alternatively, a system service that is impersonating a lesser user can elevate that user's privileges if errors are not handled correctly while the user is being impersonated (e.g. if the user has introduced a malicious error handler) *Under some legacy versions of the

Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...

operating system, the All Users

screensaver A screensaver (or screen saver) is a computer program that blanks the display screen or fills it with moving images or patterns when the computer has been idle for a designated time. The original purpose of screensavers was to prevent phosphor ...

runs under the Local System account – any account that can replace the current screensaver

binary Binary may refer to: Science and technology Mathematics * Binary number, a representation of numbers using only two digits (0 and 1) * Binary function, a function that takes two arguments * Binary operation, a mathematical operation that t ...

in the file system or

Registry Registry may refer to: Computing * Container registry, an operating-system-level virtualization registry * Domain name registry, a database of top-level internet domain names * Local Internet registry * Metadata registry, information system for re ...

can therefore elevate privileges. *In certain versions of the

Linux kernel The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel. It was originally authored in 1991 by Linus Torvalds for his i386-based PC, and it was soon adopted as the kernel for the GNU ope ...

it was possible to write a program that would set its current directory to /etc/cron.d, request that a

core dump In computing, a core dump, memory dump, crash dump, storage dump, system dump, or ABEND dump consists of the recorded state of the working memory of a computer program at a specific time, generally when the program has crashed or otherwise terminat ...

be performed in case it crashes and then have itself killed by another process. The core dump file would have been placed at the program's current directory, that is, /etc/cron.d, and

cron 




The cron command-line utility is a job scheduler on Unix-like operating systems. Users who set up and maintain software environments use cron to schedule jobs (commands or shell scripts), also known as cron jobs, to run periodically at fixed ti ...

would have treated it as a text file instructing it to run programs on schedule. Because the contents of the file would be under attacker's control, the attacker would be able to execute any program with

root In vascular plants, the roots are the organs of a plant that are modified to provide anchorage for the plant and take in water and nutrients into the plant body, which allows plants to grow taller and faster. They are most often below the sur ...

privileges. *

Cross Zone Scripting Cross-zone scripting is a browser exploit taking advantage of a vulnerability within a zone-based security solution. The attack allows content (scripts) in unprivileged zones to be executed with the permissions of a privileged zone - i.e. a privile ...

is a type of privilege escalation attack in which a website subverts the security model of web browsers, thus allowing it to run malicious code on client computers. *There are also situations where an application can use other high privilege services and has incorrect assumptions about how a client could manipulate its use of these services. An application that can execute

Command line A command-line interpreter or command-line processor uses a command-line interface (CLI) to receive commands from a user in the form of lines of text. This provides a means of setting parameters for the environment, invoking executables and pro ...

shell Shell may refer to: Architecture and design * Shell (structure), a thin structure ** Concrete shell, a thin shell of concrete, usually with no interior columns or exterior buttresses ** Thin-shell structure Science Biology * Seashell, a hard ou ...

commands could have a Shell Injection vulnerability if it uses unvalidated input as part of an executed command. An attacker would then be able to run system commands using the application's privileges. *

Texas Instruments Texas Instruments Incorporated (TI) is an American technology company headquartered in Dallas, Texas, that designs and manufactures semiconductors and various integrated circuits, which it sells to electronics designers and manufacturers globall ...

calculators (particularly the

TI-85 The TI-85 is a graphing calculator made by Texas Instruments based on the Zilog Z80 microprocessor. Designed in 1992 as TI's second graphing calculator (the first was the TI-81), it was replaced by the TI-86, which has also been discontinued ...

and

TI-82 The TI-82 is a graphing calculator made by Texas Instruments. The TI-82 was designed in 1993 as a stripped down, more user friendly version of the TI-85, and as a replacement for the TI-81. It was the direct predecessor of the TI-83. It shares ...

) were originally designed to use only interpreted programs written in dialects of

TI-BASIC TI-BASIC is the official name of a BASIC-like language built into Texas Instruments (TI)'s graphing calculators. TI-BASIC is a language family of three different and incompatible versions, released on different products: * TI-BASIC 83 (on Z80 pr ...

; however, after users discovered bugs that could be exploited to allow native

Z-80 The Z80 is an 8-bit microprocessor introduced by Zilog as the startup company's first product. The Z80 was conceived by Federico Faggin in late 1974 and developed by him and his 11 employees starting in early 1975. The first working samples we ...

code to run on the calculator hardware, TI released programming data to support third-party development. (This did not carry on to the

ARM In human anatomy, the arm refers to the upper limb in common usage, although academically the term specifically means the upper arm between the glenohumeral joint (shoulder joint) and the elbow joint. The distal part of the upper limb between the ...

-based

TI-Nspire The TI-Nspire is a graphing calculator made by Texas Instruments, which was released in July 2007, notable for featuring a non-QWERTY keyboard and a different key-by-key layout than its predecessors. Development The original TI-Nspire ...

, for which jailbreaks using Ndless have been found but are still actively fought against by Texas Instruments.) *Some versions of the iPhone allow an unauthorised user to access the phone while it is locked.

Jailbreaking

In computer security, jailbreaking is defined as the act of removing limitations that a vendor attempted to hard-code into its software or services. A common example is the use of toolsets to break out of a

chroot A chroot on Unix and Unix-like operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name (and therefore normally ...

jail A prison, also known as a jail, gaol (dated, standard English, Australian, and historically in Canada), penitentiary (American English and Canadian English), detention center (or detention centre outside the US), correction center, correc ...

UNIX-like A Unix-like (sometimes referred to as UN*X or *nix) operating system is one that behaves in a manner similar to a Unix system, although not necessarily conforming to or being certified to any version of the Single UNIX Specification. A Unix-li ...

operating systems or bypassing

digital rights management Digital rights management (DRM) is the management of legal access to digital content. Various tools or technological protection measures (TPM) such as access control technologies can restrict the use of proprietary hardware and copyrighted works. ...

(DRM). In the former case, it allows the user to see files outside of the

filesystem In computing, file system or filesystem (often abbreviated to fs) is a method and data structure that the operating system uses to control how data is stored and retrieved. Without a file system, data placed in a storage medium would be one larg ...

that the administrator intends to make available to the application or user in question. In the context of DRM, this allows the user to run arbitrarily defined code on devices with DRM as well as break out of chroot-like restrictions. The term originated with the iPhone/

iOS iOS (formerly iPhone OS) is a mobile operating system created and developed by Apple Inc. exclusively for its hardware. It is the operating system that powers many of the company's mobile devices, including the iPhone; the term also includes ...

jailbreaking community and has also been used as a term for

PlayStation Portable The PlayStation Portable (PSP) is a handheld game console developed and marketed by Sony Computer Entertainment. It was first released in Japan on December 12, 2004, in North America on March 24, 2005, and in PAL regions on September 1, 2005, ...

hacking; these devices have repeatedly been subject to jailbreaks, allowing the execution of arbitrary code, and sometimes have had those jailbreaks disabled by vendor updates.

systems including the iPhone,

iPad The iPad is a brand of iOS and iPadOS-based tablet computers that are developed by Apple Inc. The iPad was conceived before the related iPhone but the iPhone was developed and released first. Speculation about the development, operating s ...

, and

iPod Touch The iPod Touch (stylized as iPod touch) is a discontinued line of iOS-based mobile devices designed and marketed by Apple Inc. with a touchscreen-controlled user interface. As with other iPod models, the iPod Touch can be used as a music pl ...

have been subject to iOS jailbreaking efforts since they were released, and continuing with each firmware update. iOS jailbreaking tools include the option to install package frontends such as

Cydia Cydia is a graphical user interface of APT (Advanced Package Tool) for iOS. It enables a user to find and install software not authorized by Apple on jailbroken iPhones, iPads and iPod Touch devices. It also refers to digital distribution pla ...

and

Installer.app Installer.app was a freeware software installer for the iPhone created by Nullriver and later maintained by RipDev, first released in summer 2007 and maintained until summer 2009. Installer allowed users to install third-party applications into ...

, third-party alternatives to the

App Store An App Store (or app marketplace) is a type of digital distribution platform for computer software called applications, often in a mobile context. Apps provide a specific set of functions which, by definition, do not include the running of the co ...

, as a way to find and install system tweaks and binaries. To prevent iOS jailbreaking, Apple has made the device

boot ROM The boot ROM is a type of ROM that is used for booting a computer system. There are two types: a mask boot ROM that cannot be changed afterwards and a boot EEPROM, which can contain an UEFI implementation. Purpose Upon power up, hardware usually ...

execute checks for SHSH blobs in order to disallow uploads of custom kernels and prevent software downgrades to earlier, jailbreakable firmware. In an "untethered" jailbreak, the iBoot environment is changed to execute a boot ROM exploit and allow submission of a patched low level bootloader or hack the kernel to submit the jailbroken kernel after the SHSH check. A similar method of jailbreaking exists for

S60 Platform The S60 Platform (formerly Series 60 User Interface) was a platform (computing), software platform for Mobile app, smartphones that runs on top of the Symbian operating system. It was created by Nokia based on the 'Pearl' user interface from S ...

smartphones A smartphone is a portable computer device that combines mobile telephone and computing functions into one unit. They are distinguished from feature phones by their stronger hardware capabilities and extensive mobile operating systems, which ...

, where utilities such as HelloOX allow the execution of unsigned code and full access to system files. or edited firmware (similar to the M33 hacked firmware used for the

) to circumvent restrictions on

unsigned code Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. The process employs the use of a cryptographic hash to val ...

Nokia Nokia Corporation (natively Nokia Oyj, referred to as Nokia) is a Finnish multinational corporation, multinational telecommunications industry, telecommunications, technology company, information technology, and consumer electronics corporatio ...

has since issued updates to curb unauthorized jailbreaking, in a manner similar to Apple. In the case of gaming consoles, jailbreaking is often used to execute homebrew games. In 2011,

Sony , commonly stylized as SONY, is a Japanese multinational conglomerate corporation headquartered in Minato, Tokyo, Japan. As a major technology company, it operates as one of the world's largest manufacturers of consumer and professional ...

, with assistance from law firm

Kilpatrick Stockton Kilpatrick Townsend & Stockton is an international law firm headquartered in Atlanta, Georgia. The firm has nineteen offices, including U.S. offices in California, Colorado, North Carolina, New York, Texas, Washington State, and the District of ...

, sued 21-year-old

George Hotz George Francis Hotz (born October 2, 1989), alias geohot, is an American security hacker, entrepreneur, and software engineer. He is known for developing iOS jailbreaks, reverse engineering the PlayStation 3, and for the subsequent lawsuit br ...

and associates of the group fail0verflow for jailbreaking the

PlayStation 3 The PlayStation 3 (PS3) is a home video game console developed by Sony Interactive Entertainment, Sony Computer Entertainment. The successor to the PlayStation 2, it is part of the PlayStation brand of consoles. It was first released on Novemb ...

(see ''

Sony Computer Entertainment America v. George Hotz ''SCEA v. Hotz'' was a lawsuit in the United States by Sony Computer Entertainment of America against George Hotz and associates of the group fail0verflow. It was in regards to jailbreaking and reverse engineering the PlayStation 3. Timeline ...

'' and

PlayStation Jailbreak PlayStation 3 Jailbreak was the first Universal Serial Bus, USB (Universal Serial Bus) chipset that allowed unauthorized execution of code, similar to homebrew (video games), homebrew, on the PlayStation 3. It works by bypassing a system security ...

Android

Android phones can be officially rooted by either going through manufacturers controlled process, using an exploit to gain root, or flashing custom recovery. Manufacturers allow rooting through a process they control, while some allow the phone to be rooted simply by pressing specific key combinations at boot time, or by other self-administered methods. Using a manufacturers method almost always factory resets the device, making rooting useless to people who want to view the data, and also voids the warranty permanently, even if the device is derooted and reflashed. Software exploits commonly either target a root-level process that is accessible to the user, by using an exploit specific to the phone's kernel, or using a known Android exploit that has been patched in newer versions; by not upgrading the phone, or intentionally downgrading the version.

Mitigation strategies

Operating systems and users can use the following strategies to reduce the risk of privilege escalation: *

Data Execution Prevention In computer security, executable-space protection marks memory regions as non-executable, such that an attempt to execute machine code in these regions will cause an exception. It makes use of hardware features such as the NX bit (no-execute bit ...

Address space layout randomization Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. In order to prevent an attacker from reliably jumping to, for example, a particular exploited fu ...

(to make it harder for

buffer overruns In information security and programming, a buffer overflow, or buffer overrun, is an anomaly whereby a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations. Buffers are areas of memory ...

to execute privileged instructions at known addresses in memory) * Running applications with

least privilege In information security, computer science, and other fields, the principle of least privilege (PoLP), also known as the principle of minimal privilege (PoMP) or the principle of least authority (PoLA), requires that in a particular abstraction la ...

(for example by running

Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated IE or MSIE) is a series of graphical user interface, graphical web browsers developed by Microsoft which was used in the Microsoft Wind ...

with the Administrator SID disabled in the process token) in order to reduce the ability of buffer overrun exploits to abuse the privileges of an elevated user. * Requiring kernel mode code to be digitally signed. *

Patching Patching is a small village and civil parish that lies amid the fields and woods of the southern slopes of the South Downs in the National Park in the Arun District of West Sussex, England. It has a visible hill-workings history going back t ...

* Use of

compiler In computing, a compiler is a computer program that translates computer code written in one programming language (the ''source'' language) into another language (the ''target'' language). The name "compiler" is primarily used for programs that ...

s that trap buffer overruns * Encryption of software and/or

firmware In computing, firmware is a specific class of computer software that provides the low-level control for a device's specific hardware. Firmware, such as the BIOS of a personal computer, may contain basic functions of a device, and may provide h ...

components. * Use of an operating system with Mandatory Access Controls (MAC) such as

SELinux Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC). SELinux is a set of kernel modifications and user-space t ...

Horizontal

Horizontal privilege escalation occurs when an application allows the attacker to gain access to

which normally would have been protected from an application or

. The result is that the application performs actions with the same user but different security context than intended by the

; this is effectively a limited form of privilege escalation (specifically, the unauthorized assumption of the capability of impersonating other users). Compared to the vertical privilege escalation, horizontal requires no upgrading the privilege of accounts. It often relies on the bugs in the system.

Examples

This problem often occurs in

web application A web application (or web app) is application software that is accessed using a web browser. Web applications are delivered on the World Wide Web to users with an active network connection. History In earlier computing models like client-serve ...

s. Consider the following example: * User A has access to their own bank account in an Internet Banking application. * User B has access to their own bank account in the same Internet Banking application. * The vulnerability occurs when User A is able to access User B's bank account by performing some sort of malicious activity. This malicious activity may be possible due to common web application weaknesses or vulnerabilities. Potential web application vulnerabilities or situations that may lead to this condition include: * Predictable

session ID In computer science, a session identifier, session ID or session token is a piece of data that is used in network communications (often over HTTP) to identify a session, a series of related message exchanges. Session identifiers become necessary ...

s in the user's

HTTP cookie HTTP cookies (also called web cookies, Internet cookies, browser cookies, or simply cookies) are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's w ...

Session fixation In computer network security, session fixation attacks attempt to exploit the vulnerability of a system that allows one person to fixate (find or set) another person's session identifier. Most session fixation attacks are web based, and most rel ...

Cross-site scripting Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may ...

* Easily guessable

password A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of ...

s * Theft or hijacking of session cookies *

Keystroke logging Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored ...

References

{{DEFAULTSORT:Privilege Escalation Operating system security

Background

Vertical

Examples

Jailbreaking

Android

Mitigation strategies

Horizontal

Examples

See also

References