Skip to main content

What is Privilege Escalation?

Privilege escalation 750x485 18feb16 en

In my previous post, we examined the measures that organizations use to enforce authorization policies. Authorization policies and the methods we use to enforce them – access controls, user permissions or privileges – are intended to protect sensitive information against unauthorized viewing, sharing, modification, or deletion. Such policies can also protect against unauthorized execution of applications on a computer.

Malicious actors, criminals, or parties engaged in cyber espionage are motivated – financially, socio-politically, or for notoriety – to defeat authorization policies to gain access to classified or sensitive business data, to defraud a merchant of goods or to steal money. These attackers often begin compromising user accounts. Alternatively, they may look for vulnerabilities that they can exploit to gain control over a computer system or application.

Through such initial exploit paths, an attacker will obtain certain access privileges. Next, the attacker will progressively probe the system she's compromised to gain more privileges than what she initially gained, hoping to access sensitive information from other accounts, or even to obtain complete administrative control over a system. When an attacker expands her initial unauthorized access in this manner, we call the her efforts a privilege escalation attack.

Horizontal Privilege Escalation

Let's suppose that an attacker has gained access to an online banking account. She's looking to steal money and the money she's stolen from this one account is not enough. She'll probe for information or try various exploits to gain access to other accounts. This is called horizontal privilege escalation because our attacker is moving laterally across accounts of similar privileges.

How does she move laterally? Our attacker may examine the hyperlinks this bank returns after she's logged in to see if they reveal any information about the way content is organized at the banking site. She may discover that the bank encodes a customer's account number in a particular way in hyperlinks. She'll compose and inject hyperlinks to the web site to test whether the banking system's security is flawed and whether the flaw allows her to view other customer account data or (better) to transfer funds. If successful, she may access several accounts before the bank detects her activities or a customer reports a theft. This is called a direct object reference technique.

Vertical Privilege Escalation

Attackers are often motivated to gain complete control over a computer system so that they can put the system to whatever use they choose. When an attacker begins with a compromised user account and is able to expand or elevate the single user privileges he has to where he gains complete administrative privileges or "root", we call such attacks vertical privilege escalation.

Let's consider a scenario where our attacker has gained unauthorized access to a user account on a computer system. He'll conduct local reconnaissance to see what the compromised user can do and what information he can access, whether he can write scripts or compile programs from this account, and more. If he's able to download and execute software on the compromised computer, he may run exploit software. He'll poke around until he finds a vulnerability or configuration error that he can exploit to become an administrator on the targeted computer, or he'll abandon this system and move on to another computer.

An attacker can also bypass access to protected or sensitive information through remote paths. For example, by carefully crafting queries that take advantage of a vulnerability in a web application deployed at a targeted site, an attacker can insert instructions directly to the site's database application that allow him to access ostensibly protected records or dump the entire contents of a database (see SQL injection). Attackers have an abundance of exploits to try but attackers often simply take advantage of the web application lacking any validation of the type of data that a user submits: in such situations, the web application passes anything the attacker enters into a web submission form to the database and the database executes what it receives, with often disastrous consequences including full database disclosure, data alteration or corruption.

Beef Up Authentication and Validate All Data!

Three simple remedies to reduce privilege escalation attacks are (1) have your users or customers use the strongest authentication method possible, and use them intelligently (e.g., long, strong, complex passwords), (2) scan your web applications for known vulnerabilities to minimize exploit attacks, and (3) validate data in every submission form your web site uses. Apply these and you'll reduce your organization's exposure to privilege escalation attacks.


    Domain Name System
    Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."