Privilege escalation is the act of exploiting a
bug, a design flaw, or a configuration oversight in an
operating system
An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs.
Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...
or
software application
Software is a set of computer programs and associated documentation and data. This is in contrast to hardware, from which the system is built and which actually performs the work.
At the lowest programming level, executable code consists ...
to gain elevated access to
resources
Resource refers to all the materials available in our environment which are technologically accessible, economically feasible and culturally sustainable and help us to satisfy our needs and wants. Resources can broadly be classified upon their a ...
that are normally protected from an application or
user
Ancient Egyptian roles
* User (ancient Egyptian official), an ancient Egyptian nomarch (governor) of the Eighth Dynasty
* Useramen, an ancient Egyptian vizier also called "User"
Other uses
* User (computing), a person (or software) using an ...
. The result is that an application with more
privileges than intended by the
application developer
A computer programmer, sometimes referred to as a software developer, a software engineer, a programmer or a coder, is a person who creates computer programs — often for larger computer software.
A programmer is someone who writes/creates ...
or
system administrator
A system administrator, or sysadmin, or admin is a person who is responsible for the upkeep, configuration, and reliable operation of computer systems, especially multi-user computers, such as servers. The system administrator seeks to ensu ...
can perform
unauthorized
Authorization or authorisation (see spelling differences) is the function of specifying access rights/privileges to resources, which is related to general information security and computer security, and to access control in particular. More fo ...
actions.
Background
Most computer systems are designed for use with multiple user accounts, each of which has abilities known as
privileges. Common privileges include viewing and editing files or modifying system files.
Privilege escalation means users receive privileges they are not entitled to. These privileges can be used to delete files, view private information, or install unwanted programs such as viruses. It usually occurs when a system has a
bug that allows security to be bypassed or, alternatively, has flawed design assumptions about how it will be used. Privilege escalation occurs in two forms:
* Vertical privilege escalation, also known as ''privilege elevation'', where a lower privilege user or application accesses functions or content reserved for higher privilege users or applications (e.g. Internet Banking users can access site administrative functions or the password for a smartphone can be bypassed.)
* Horizontal privilege escalation, where a normal user accesses functions or content reserved for other normal users (e.g. Internet Banking User A accesses the Internet bank account of User B)
Vertical
This type of
privilege escalation occurs when the user or process is able to obtain a higher level of access than an administrator or system developer intended, possibly by performing
kernel-level operations.
Examples
In some cases, a high-privilege application assumes that it would only be provided with input matching its interface specification, thus doesn't validate this input. Then, an attacker may be able to exploit this assumption, in order to run unauthorized code with the application's privileges:
*Some
Windows service
In Windows NT operating systems, a Windows service is a computer program that operates in the background. It is similar in concept to a Unix daemon. A Windows service must conform to the interface rules and protocols of the Service Control Manager ...
s are configured to run under the Local System user account. A vulnerability such as a
buffer overflow
In information security and programming, a buffer overflow, or buffer overrun, is an anomaly whereby a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations.
Buffers are areas of memory ...
may be used to execute arbitrary code with privilege elevated to Local System. Alternatively, a system service that is impersonating a lesser user can elevate that user's privileges if errors are not handled correctly while the user is being impersonated (e.g. if the user has introduced a malicious
error handler)
*Under some legacy versions of the
Microsoft Windows
Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
operating system, the All Users
screensaver
A screensaver (or screen saver) is a computer program that blanks the display screen or fills it with moving images or patterns when the computer has been idle for a designated time. The original purpose of screensavers was to prevent phosphor ...
runs under the Local System account – any account that can replace the current screensaver
binary
Binary may refer to:
Science and technology Mathematics
* Binary number, a representation of numbers using only two digits (0 and 1)
* Binary function, a function that takes two arguments
* Binary operation, a mathematical operation that t ...
in the file system or
Registry Registry may refer to:
Computing
* Container registry, an operating-system-level virtualization registry
* Domain name registry, a database of top-level internet domain names
* Local Internet registry
* Metadata registry, information system for re ...
can therefore elevate privileges.
*In certain versions of the
Linux kernel
The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel. It was originally authored in 1991 by Linus Torvalds for his i386-based PC, and it was soon adopted as the kernel for the GNU ope ...
it was possible to write a program that would set its current directory to
/etc/cron.d
, request that a
core dump
In computing, a core dump, memory dump, crash dump, storage dump, system dump, or ABEND dump consists of the recorded state of the working memory of a computer program at a specific time, generally when the program has crashed or otherwise terminat ...
be performed in case it crashes and then have itself
killed by another process. The core dump file would have been placed at the program's current directory, that is,
/etc/cron.d
, and
cron
would have treated it as a text file instructing it to run programs on schedule. Because the contents of the file would be under attacker's control, the attacker would be able to execute any program with
root
In vascular plants, the roots are the organs of a plant that are modified to provide anchorage for the plant and take in water and nutrients into the plant body, which allows plants to grow taller and faster. They are most often below the sur ...
privileges.
*
Cross Zone Scripting
Cross-zone scripting is a browser exploit taking advantage of a vulnerability within a zone-based security solution. The attack allows content (scripts) in unprivileged zones to be executed with the permissions of a privileged zone - i.e. a privile ...
is a type of privilege escalation attack in which a website subverts the security model of web browsers, thus allowing it to run malicious code on client computers.
*There are also situations where an application can use other high privilege services and has incorrect assumptions about how a client could manipulate its use of these services. An application that can execute
Command line
A command-line interpreter or command-line processor uses a command-line interface (CLI) to receive commands from a user in the form of lines of text. This provides a means of setting parameters for the environment, invoking executables and pro ...
or
shell
Shell may refer to:
Architecture and design
* Shell (structure), a thin structure
** Concrete shell, a thin shell of concrete, usually with no interior columns or exterior buttresses
** Thin-shell structure
Science Biology
* Seashell, a hard o ...
commands could have a
Shell Injection vulnerability if it uses unvalidated input as part of an executed command. An attacker would then be able to run system commands using the application's privileges.
*
Texas Instruments
Texas Instruments Incorporated (TI) is an American technology company headquartered in Dallas, Texas, that designs and manufactures semiconductors and various integrated circuits, which it sells to electronics designers and manufacturers globall ...
calculators (particularly the
TI-85
The TI-85 is a graphing calculator made by Texas Instruments based on the Zilog Z80 microprocessor. Designed in 1992 as TI's second graphing calculator (the first was the TI-81), it was replaced by the TI-86, which has also been discontinued ...
and
TI-82
The TI-82 is a graphing calculator made by Texas Instruments. The TI-82 was designed in 1993 as a stripped down, more user friendly version of the TI-85, and as a replacement for the TI-81. It was the direct predecessor of the TI-83. It share ...
) were originally designed to use only interpreted programs written in dialects of
TI-BASIC
TI-BASIC is the official name of a BASIC-like language built into Texas Instruments (TI)'s graphing calculators.
TI-BASIC is a language family of three different and incompatible versions, released on different products:
* TI-BASIC 83 (on Z80 ...
; however, after users discovered bugs that could be exploited to allow native
Z-80
The Z80 is an 8-bit microprocessor introduced by Zilog as the startup company's first product. The Z80 was conceived by Federico Faggin in late 1974 and developed by him and his 11 employees starting in early 1975. The first working samples we ...
code to run on the calculator hardware, TI released programming data to support third-party development. (This did not carry on to the
ARM
In human anatomy, the arm refers to the upper limb in common usage, although academically the term specifically means the upper arm between the glenohumeral joint (shoulder joint) and the elbow joint. The distal part of the upper limb between th ...
-based
TI-Nspire
The TI-Nspire is a graphing calculator made by Texas Instruments, which was released in July 2007, notable for featuring a non-QWERTY keyboard and a different key-by-key layout than its predecessors.
Development
The original TI-Nspir ...
, for which jailbreaks using
Ndless have been found but are still actively fought against by Texas Instruments.)
*Some versions of the
iPhone allow an unauthorised user to access the phone while it is locked.
Jailbreaking
In computer security, jailbreaking is defined as the act of removing limitations that a vendor attempted to hard-code into its software or services. A common example is the use of toolsets to break out of a
chroot
A chroot on Unix and Unix-like operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name (and therefore normall ...
or
jail
A prison, also known as a jail, gaol (dated, standard English, Australian, and historically in Canada), penitentiary (American English and Canadian English), detention center (or detention centre outside the US), correction center, correc ...
in
UNIX-like
A Unix-like (sometimes referred to as UN*X or *nix) operating system is one that behaves in a manner similar to a Unix system, although not necessarily conforming to or being certified to any version of the Single UNIX Specification. A Unix-li ...
operating systems or bypassing
digital rights management
Digital rights management (DRM) is the management of legal access to digital content. Various tools or technological protection measures (TPM) such as access control technologies can restrict the use of proprietary hardware and copyrighted works. ...
(DRM). In the former case, it allows the user to see files outside of the
filesystem
In computing, file system or filesystem (often abbreviated to fs) is a method and data structure that the operating system uses to control how data is stored and retrieved. Without a file system, data placed in a storage medium would be one larg ...
that the administrator intends to make available to the application or user in question. In the context of DRM, this allows the user to run arbitrarily defined code on devices with DRM as well as break out of chroot-like restrictions. The term originated with the
iPhone/
iOS
iOS (formerly iPhone OS) is a mobile operating system created and developed by Apple Inc. exclusively for its hardware. It is the operating system that powers many of the company's mobile devices, including the iPhone; the term also includes ...
jailbreaking community and has also been used as a term for
PlayStation Portable
The PlayStation Portable (PSP) is a handheld game console developed and marketed by Sony Computer Entertainment. It was first released in Japan on December 12, 2004, in North America on March 24, 2005, and in PAL regions on September 1, 2005, ...
hacking; these devices have repeatedly been subject to jailbreaks, allowing the execution of arbitrary code, and sometimes have had those jailbreaks disabled by vendor updates.
iOS
iOS (formerly iPhone OS) is a mobile operating system created and developed by Apple Inc. exclusively for its hardware. It is the operating system that powers many of the company's mobile devices, including the iPhone; the term also includes ...
systems including the
iPhone,
iPad
The iPad is a brand of iOS and iPadOS-based tablet computers that are developed by Apple Inc. The iPad was conceived before the related iPhone but the iPhone was developed and released first. Speculation about the development, operating s ...
, and
iPod Touch
The iPod Touch (stylized as iPod touch) is a discontinued line of iOS-based mobile devices designed and marketed by Apple Inc. with a touchscreen-controlled user interface. As with other iPod models, the iPod Touch can be used as a music pl ...
have been subject to
iOS jailbreaking efforts since they were released, and continuing with each firmware update. iOS jailbreaking tools include the option to install package frontends such as
Cydia
Cydia is a graphical user interface of APT (Advanced Package Tool) for iOS. It enables a user to find and install software not authorized by Apple on jailbroken iPhones, iPads and iPod Touch devices. It also refers to digital distribution pl ...
and
Installer.app
Installer.app was a freeware software installer for the iPhone created by Nullriver and later maintained by RipDev, first released in summer 2007 and maintained until summer 2009. Installer allowed users to install third-party applications into ...
, third-party alternatives to the
App Store
An App Store (or app marketplace) is a type of digital distribution platform for computer software called applications, often in a mobile context. Apps provide a specific set of functions which, by definition, do not include the running of the co ...
, as a way to find and install system tweaks and binaries. To prevent iOS jailbreaking, Apple has made the device
boot ROM
The boot ROM is a type of ROM that is used for booting a computer system. There are two types: a mask boot ROM that cannot be changed afterwards and a boot EEPROM, which can contain an UEFI implementation.
Purpose
Upon power up, hardware usuall ...
execute checks for
SHSH blobs in order to disallow uploads of custom kernels and prevent software downgrades to earlier, jailbreakable firmware. In an "untethered" jailbreak, the iBoot environment is changed to execute a boot ROM exploit and allow submission of a patched low level bootloader or hack the kernel to submit the jailbroken kernel after the SHSH check.
A similar method of jailbreaking exists for
S60 Platform
The S60 Platform (formerly Series 60 User Interface) was a software platform for smartphones that runs on top of the Symbian operating system. It was created by Nokia based on the 'Pearl' user interface from Symbian Ltd. It was introduced a ...
smartphones
A smartphone is a portable computer device that combines mobile telephone and computing functions into one unit. They are distinguished from feature phones by their stronger hardware capabilities and extensive mobile operating systems, which ...
, where utilities such as HelloOX allow the execution of unsigned code and full access to system files. or edited firmware (similar to the M33 hacked firmware used for the
PlayStation Portable
The PlayStation Portable (PSP) is a handheld game console developed and marketed by Sony Computer Entertainment. It was first released in Japan on December 12, 2004, in North America on March 24, 2005, and in PAL regions on September 1, 2005, ...
) to circumvent restrictions on
unsigned code
Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. The process employs the use of a cryptographic hash to val ...
.
Nokia
Nokia Corporation (natively Nokia Oyj, referred to as Nokia) is a Finnish multinational corporation, multinational telecommunications industry, telecommunications, technology company, information technology, and consumer electronics corporatio ...
has since issued updates to curb unauthorized jailbreaking, in a manner similar to Apple.
In the case of gaming consoles, jailbreaking is often used to execute
homebrew games. In 2011,
Sony
, commonly stylized as SONY, is a Japanese multinational conglomerate corporation headquartered in Minato, Tokyo, Japan. As a major technology company, it operates as one of the world's largest manufacturers of consumer and professional ...
, with assistance from law firm
Kilpatrick Stockton
Kilpatrick Townsend & Stockton is an international law firm headquartered in Atlanta, Georgia. The firm has nineteen offices, including U.S. offices in California, Colorado, North Carolina, New York, Texas, Washington State, and the District of ...
, sued 21-year-old
George Hotz
George Francis Hotz (born October 2, 1989), alias geohot, is an American security hacker, entrepreneur, and software engineer. He is known for developing iOS jailbreaks, reverse engineering the PlayStation 3, and for the subsequent lawsuit br ...
and associates of the group fail0verflow for jailbreaking the
PlayStation 3
The PlayStation 3 (PS3) is a home video game console developed by Sony Interactive Entertainment, Sony Computer Entertainment. The successor to the PlayStation 2, it is part of the PlayStation brand of consoles. It was first released on Novemb ...
(see ''
Sony Computer Entertainment America v. George Hotz
''SCEA v. Hotz'' was a lawsuit in the United States by Sony Computer Entertainment of America against George Hotz and associates of the group fail0verflow. It was in regards to jailbreaking and reverse engineering the PlayStation 3.
Timeline
...
'' and
PlayStation Jailbreak
PlayStation 3 Jailbreak was the first USB (Universal Serial Bus) chipset that allowed unauthorized execution of code, similar to homebrew, on the PlayStation 3. It works by bypassing a system security check using a memory exploit (heap overflow ...
).
Android
Android phones can be officially rooted by either going through manufacturers controlled process, using an exploit to gain root, or flashing custom recovery. Manufacturers allow rooting through a process they control, while some allow the phone to be rooted simply by pressing specific key combinations at boot time, or by other self-administered methods. Using a manufacturers method almost always factory resets the device, making rooting useless to people who want to view the data, and also voids the warranty permanently, even if the device is derooted and reflashed. Software exploits commonly either target a root-level process that is accessible to the user, by using an exploit specific to the phone's kernel, or using a known Android exploit that has been patched in newer versions; by not upgrading the phone, or intentionally downgrading the version.
Mitigation strategies
Operating systems and users can use the following strategies to reduce the risk of privilege escalation:
*
Data Execution Prevention
In computer security, executable-space protection marks memory regions as non-executable, such that an attempt to execute machine code in these regions will cause an exception. It makes use of hardware features such as the NX bit (no-execute bit ...
*
Address space layout randomization
Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. In order to prevent an attacker from reliably jumping to, for example, a particular exploited fu ...
(to make it harder for
buffer overruns
In information security and programming, a buffer overflow, or buffer overrun, is an anomaly whereby a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations.
Buffers are areas of memor ...
to execute privileged instructions at known addresses in memory)
* Running applications with
least privilege
In information security, computer science, and other fields, the principle of least privilege (PoLP), also known as the principle of minimal privilege (PoMP) or the principle of least authority (PoLA), requires that in a particular abstraction la ...
(for example by running
Internet Explorer
Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated IE or MSIE) is a series of graphical user interface, graphical web browsers developed by Microsoft which was used in the Microsoft Wind ...
with the Administrator
SID disabled in the process
token) in order to reduce the ability of buffer overrun
exploits to abuse the privileges of an elevated user.
* Requiring kernel mode code to be digitally signed.
*
Patching
Patching is a small village and civil parish that lies amid the fields and woods of the southern slopes of the South Downs in the National Park in the Arun District of West Sussex, England. It has a visible hill-workings history going back t ...
* Use of
compiler
In computing, a compiler is a computer program that translates computer code written in one programming language (the ''source'' language) into another language (the ''target'' language). The name "compiler" is primarily used for programs that ...
s that trap buffer overruns
* Encryption of software and/or
firmware
In computing, firmware is a specific class of computer software that provides the low-level control for a device's specific hardware. Firmware, such as the BIOS of a personal computer, may contain basic functions of a device, and may provide h ...
components.
* Use of an operating system with Mandatory Access Controls (MAC) such as
SELinux
Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).
SELinux is a set of kernel modifications and user-space t ...
Horizontal
Horizontal privilege escalation occurs when an application allows the attacker to gain access to
resources
Resource refers to all the materials available in our environment which are technologically accessible, economically feasible and culturally sustainable and help us to satisfy our needs and wants. Resources can broadly be classified upon their a ...
which normally would have been protected from an application or
user
Ancient Egyptian roles
* User (ancient Egyptian official), an ancient Egyptian nomarch (governor) of the Eighth Dynasty
* Useramen, an ancient Egyptian vizier also called "User"
Other uses
* User (computing), a person (or software) using an ...
. The result is that the application performs actions with the same user but different security context than intended by the
application developer
A computer programmer, sometimes referred to as a software developer, a software engineer, a programmer or a coder, is a person who creates computer programs — often for larger computer software.
A programmer is someone who writes/creates ...
or
system administrator
A system administrator, or sysadmin, or admin is a person who is responsible for the upkeep, configuration, and reliable operation of computer systems, especially multi-user computers, such as servers. The system administrator seeks to ensu ...
; this is effectively a limited form of privilege escalation (specifically, the unauthorized assumption of the capability of impersonating other users). Compared to the vertical privilege escalation, horizontal requires no upgrading the privilege of accounts. It often relies on the bugs in the system.
Examples
This problem often occurs in
web application
A web application (or web app) is application software that is accessed using a web browser. Web applications are delivered on the World Wide Web to users with an active network connection.
History
In earlier computing models like client-serve ...
s. Consider the following example:
* User A has access to their own bank account in an Internet Banking application.
* User B has access to their own bank account in the same Internet Banking application.
* The vulnerability occurs when User A is able to access User B's bank account by performing some sort of malicious activity.
This malicious activity may be possible due to common web application weaknesses or vulnerabilities.
Potential web application vulnerabilities or situations that may lead to this condition include:
* Predictable
session ID
In computer science, a session identifier, session ID or session token is a piece of data that is used in network communications (often over HTTP) to identify a session, a series of related message exchanges. Session identifiers become necessary ...
s in the user's
HTTP cookie
HTTP cookies (also called web cookies, Internet cookies, browser cookies, or simply cookies) are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's w ...
*
Session fixation
*
Cross-site scripting
Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may ...
* Easily guessable
password
A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of ...
s
* Theft or hijacking of
session cookies
*
Keystroke logging
Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored ...
See also
*
Defensive programming
Defensive programming is a form of defensive design intended to develop programs that are capable of detecting potential security abnormalities and make predetermined responses. It ensures the continuing function of a piece of software under unf ...
*
Hacking of consumer electronics
The hacking of consumer electronics is an increasingly common practice which users perform in order to customize and modify their devices beyond what is typically possible. This activity has a long history, dating from the days of early computer ...
*
Illegal number
An illegal number is a number that represents information which is illegal to possess, utter, propagate, or otherwise transmit in some legal jurisdiction. Any piece of digital information is representable as a number; consequently, if communicat ...
*
Principle of least privilege
In information security, computer science, and other fields, the principle of least privilege (PoLP), also known as the principle of minimal privilege (PoMP) or the principle of least authority (PoLA), requires that in a particular abstraction la ...
*
Privilege revocation (computing)
{{inline, date=December 2008
Privilege revocation is the act of an entity giving up some, or all of, the privileges they possess, or some authority taking those (privileged) rights away.
Information theory
Honoring the Principle of least privil ...
*
Privilege separation
In computer programming and computer security, privilege separation is one software-based technique for implementing the principle of least privilege. With privilege separation, a program is divided into parts which are limited to the specific pri ...
*
Rooting (Android OS)
Rooting is the process by which users of Android devices can attain privileged control (known as root access) over various subsystems of the device, usually smartphones. Because Android is based on a modified version of the Linux kernel, rooting ...
*
Row hammer
Row hammer (also written as rowhammer) is a security exploit that takes advantage of an unintended and undesirable side effect in dynamic random-access memory (DRAM) in which memory cells interact electrically between themselves by leaking thei ...
References
{{DEFAULTSORT:Privilege Escalation
Operating system security