In my previous post, we examined the measures that organizations use to enforce authorization policies. Authorization policies and the methods we use to enforce them – access controls, user permissions or privileges – are intended to protect sensitive information against unauthorized viewing, sharing, modification, or deletion. Such policies can also protect against unauthorized execution of applications on a computer.
Malicious actors, criminals, or parties engaged in cyber espionage are motivated – financially, socio-politically, or for notoriety – to defeat authorization policies to gain access to classified or sensitive business data, to defraud a merchant of goods or to steal money. These attackers often begin compromising user accounts. Alternatively, they may look for vulnerabilities that they can exploit to gain control over a computer system or application.
Through such initial exploit paths, an attacker will obtain certain access privileges. Next, the attacker will progressively probe the system she's compromised to gain more privileges than what she initially gained, hoping to access sensitive information from other accounts, or even to obtain complete administrative control over a system. When an attacker expands her initial unauthorized access in this manner, we call the her efforts a privilege escalation attack.
Horizontal Privilege Escalation
Let's suppose that an attacker has gained access to an online banking account. She's looking to steal money and the money she's stolen from this one account is not enough. She'll probe for information or try various exploits to gain access to other accounts. This is called horizontal privilege escalation because our attacker is moving laterally across accounts of similar privileges.
How does she move laterally? Our attacker may examine the hyperlinks this bank returns after she's logged in to see if they reveal any information about the way content is organized at the banking site. She may discover that the bank encodes a customer's account number in a particular way in hyperlinks. She'll compose and inject hyperlinks to the web site to test whether the banking system's security is flawed and whether the flaw allows her to view other customer account data or (better) to transfer funds. If successful, she may access several accounts before the bank detects her activities or a customer reports a theft. This is called a direct object reference technique.
Vertical Privilege Escalation
Attackers are often motivated to gain complete control over a computer system so that they can put the system to whatever use they choose. When an attacker begins with a compromised user account and is able to expand or elevate the single user privileges he has to where he gains complete administrative privileges or "root", we call such attacks vertical privilege escalation.
Let's consider a scenario where our attacker has gained unauthorized access to a user account on a computer system. He'll conduct local reconnaissance to see what the compromised user can do and what information he can access, whether he can write scripts or compile programs from this account, and more. If he's able to download and execute software on the compromised computer, he may run exploit software. He'll poke around until he finds a vulnerability or configuration error that he can exploit to become an administrator on the targeted computer, or he'll abandon this system and move on to another computer.
An attacker can also bypass access to protected or sensitive information through remote paths. For example, by carefully crafting queries that take advantage of a vulnerability in a web application deployed at a targeted site, an attacker can insert instructions directly to the site's database application that allow him to access ostensibly protected records or dump the entire contents of a database (see SQL injection). Attackers have an abundance of exploits to try but attackers often simply take advantage of the web application lacking any validation of the type of data that a user submits: in such situations, the web application passes anything the attacker enters into a web submission form to the database and the database executes what it receives, with often disastrous consequences including full database disclosure, data alteration or corruption.
Beef Up Authentication and Validate All Data!
Three simple remedies to reduce privilege escalation attacks are (1) have your users or customers use the strongest authentication method possible, and use them intelligently (e.g., long, strong, complex passwords), (2) scan your web applications for known vulnerabilities to minimize exploit attacks, and (3) validate data in every submission form your web site uses. Apply these and you'll reduce your organization's exposure to privilege escalation attacks.