Codepath

Privilege Escalation

Privilege Escalation means exploiting a bug or configuration oversight to gain access to resources which are normally restricted.

There are many other attacks which are forms of Privilege Escalation.

The term "Privilege Escalation" most often refers to escalating a user's privileges in an operating system. Operating systems are organized using privileges. Each privilege level can only access certain information and only perform certain actions, which fits the Principle of Least Privilege. User files and programs also have privileges.

Example of Operating System Privilege Levels

  • Kernel (core of the OS)
  • Device drivers
  • Applications
  • Root user (most privileged admin)
  • Super user (highly privileged admins)
  • Other users (with varying levels of privileges)

Root

The root user is the most important and valuable user on a computer. It is the master account with the most privileges and there is only one. It can perform an action which the operating system will allow users to perform. When an attacker successfully raises their privilege level to become root then it is referred to as "being rooted". Special software for performing this escalation is called a "rootkit". Once an attacker has become root, they have essentially taken over control of the computer.

sudo and sudoers

Users who are below root but have almost the same privileges to do anything on the computer are called "super users". The sudo command is used as a prefix to another command, and it invokes super-user-level permissions. It is like becoming the root user for one command. Because it is powerful, it is only available to users listed in the "sudoers" file.

XKCD: Sandwich


Attackers use a few different techniques to escalate privileges.

  • Become root or super user
    There are many ways which an attacker could become a different user. Credential theft and Brute Force Attacks on the password are two obvious ways. In addition, if a user can gain access to the server they can read the password file for the server (often at /etc/passwd) or get the server to dump the current contents of its memory so that the attacker can look for credentials which still reside in memory. If they have some ability to install or execute programs they may be able to run credential stealing malware which will observer admin logins.

  • Run a program which should be restricted
    Programs have access permission, just like files do. Most often an attacker is able to run a program they should not be able to run because of poorly set permissions. This could be the result of a mistake on the part of the admin, or the program may have been installed with permissive settings from the start. Another frequently overlooked setting is group permissions which allow a group of users to have different permissions from admins or general users. If an attacker can become part of a group (or get a member of a group to perform an action on their behalf) then they can take advantage of these permissions. Lastly, it is difficult but if an attacker can get themselves added to the sudoers file, they would be granted high-level privileges for running programs.

  • Trick OS into running a program itself
    One of the most potent attacks is to get the operating system to run an attacker's program of choice. This is because the operating system and its device drivers have even more privileges to access the core of the system than even the root user does. An operating system is usually well-designed to resist this attack, but an attacker can put executable programs in trusted paths in order to trick the operating system into running them. For example, Microsoft Windows has an "Unattended Installs" directory which is a trusted path for installing new software. On Linux servers the init.d directory is used for running programs after reboot and the cron.d directory runs programs automatically daily. Getting a file into one of these directories could allow it to be executed. Another variation on this, is for an attacker to replace existing trusted programs which have their "write permission" set to allow modification.

Many of the details on these exploits are operating system, software, and configuration specific. They involve highly-technical details which are not easily summarized. Most attackers do not know the technical details either. Hacker tools have simple commands like "getsystem" which try many tricks to gain control, or "get root", on a system. The technical detail of these vulnerabilities highlights how deep at topic security is and points to the need for an experienced system administrator who can manage these risks.

Fork me on GitHub