3.2.14 Privilege Escalation

Privilege escalation

In this context of computer security, privilege escalation is the malicious acquisition or exercise of escalated access to resources that are normally reserved for administrative or other authorized users or applications.

When applied in an unauthorized way, privilege escalation is a security violation and is enabled by a flaw in the configuration, services, installed software or operating system. It results in a regular user being given more access than was intended by the developer or the administrator.

In November 2013, Microsoft issued a security advisory on vulnerability that would allow privilege escalation exploits in computers running Windows XP and Windows Server 2003. The security advisory (2914486) reads in part, “The vulnerability is an elevation of privilege vulnerability. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.” †

Countermeasures against privilege escalation include implementing good system security practices such as:

• Review and apply up-to-date system and application patches
• Remove or protect software that will allow a regular user to create executable applications (e.g.  compilers and software installers)
• Protect system configuration files from access by regular users.
• Run applications with the lowest privilege required, e.g. if you browse the Internet as root (or administrator), any browser exploits will be run with root or administrator privileges on the system.
• Conduct periodic security audits of the system

Related terms: horizontal escalation (gaining the privilege of a peer user, with this a regular user can impersonate another regular user) and vertical escalation (gaining the privilege of a higher level user).

The microkernel model computer hardware architecture offers another concept of privilege escalation. In microkernel based operating systems, major system functions such as device drivers, protocol stacks, file systems, etc. are moved out of the kernel, keeping the kernel code to a bare minimum. This reduces the kernel’s attack surface and as such it’s security vulnerability.

Microkernel operating systems are run on hardware that provides multiple protection modes. Here is a model of a 4 privilege level system. The program running in Ring 0 is the most trusted, and has the most access (privileges) to system resources. The program running in Ring 3 is the least trusted and any access to resources must be moderated.

Note: Linux defines two levels of protection:

• level 0 – includes kernel and device drivers
• level 3 – includes standard libraries and user programs

Creating multiple protection modes offers fault tolerance and security.

References:

• www.admin-magazine.com/Articles/Understanding-Privilege-Escalation
• communities.intel.com/community/datastack/blog/2011/05/07/mitigating-threats-in-the-cloud-using-intel-txt-and-trusted-compute-pools
• fluxius.handgrep.se/2011/01/02/ring-0f-fire-rootkits-and-dkom/
• en.wikipedia.org/wiki/Privilege_escalation
• cs.ucla.edu/classes/fall08/cs111/scribe/4/index.html
• technet.microsoft.com/en-us/security/advisory/2914486^†

3.2.6 Spoofing

Spoofing

A spoofing attack is an attempt to masquerade as someone else. There are a variety of spoofing attacks, including:

Wolf in sheep's clothing

• Spoofing email messages to trick the recipient to accept an email from an attacker
• Creating fake logon programs that attempt to capture user ID and password
• Spoofing IP addresses to make it appear to come from a trusted source
• DNS spoofing involves an attempt to populate a name server database with false information. This can result in a user being sent to a website other than the one intended

Spoofing is making data appear to come from someone or somewhere other than where it originated by maliciously modifying TCP/IP source information. The goal of spoofing attacks is to gain illegitimate access to a resource.

A number of the TCP/IP protocols (DNS, IP, ARP, ICMP, SMTP, NTP, etc.) are vulnerable to spoofing attacks as they were not designed with authentication as a core feature. As such, without extra measures, they are vulnerable to attacks such as man-in-the-middle which depend on an attacker assuming the identity of a legitimate user.

Email spoofing is a common type of spoofing attack. It is the process of faking a senders e-mail address and it occurs when the source of the email is faked to make it appear as it came from someone else. Header fields, e.g. the From field can be faked. In the table below what the user sees is that the email came from a “-Letter-From-Santa-“ this is easily manipulated to read anything. Spammers will keep trying different text in the From, Subject and other fields in an effort to find one that will get the reader to open the email message.

From -Letter-From-Santa- Sun Dec 15 50:07:46 2013 Return-Path: <lettersfromsanta@<deleted>.net> Received: from 127.0.0.1  (HELO >.net) by .com with SMTP; Sun, 15 Dec 2013 08:55:03 +0000 Subject: [Get Your Child a Personal Letter From Santa!] From: "-Letter-From-Santa"lettersfromsanta@.net Date: Sun, 15 Dec 2013 50:07:46 -0800

Vigilance is a key countermeasure to most spoofing attacks. Whenever possible, manually type in the address of a website instead of clicking on a link, especially a link in an email or website. Be careful with email from senders you do not recognize. Be equally careful even if you recognize the sender as the From header field can be faked. Stay up-to-date with patches for the operating system, web browsers, email clients and other applications. Maintain an up-to-date antivirus application.

“Just because you are paranoid does not mean they are not out to get you.”

References:

• http://support.microsoft.com/kb/833786
• http://www.bbc.co.uk/webwise/guides/about-spoofing
• http://office.microsoft.com/en-us/images/