1. Introduction

In this tutorial, we’ll discuss how Privilege Escalation is used within attacks against systems. We’ll look through some techniques used by the attackers and the results successful attacks can have on a system. Finally, we’ll look at ways to maintain a high level of defense against such attacks.

2. What Is Privilege Escalation?

Privilege Escalation is a process during which an attacker tries to gain increasingly high access levels on a system. Privilege Escalation is not by itself an attack but rather the process of getting from an initial foothold all the way up to the highest access level of a system. For a typical PC system, the levels of access can vary – a simple user, a privileged user, an admin, and so on.

3. A Few Words on Privilege in Information Security

What is the meaning behind the word Privilege in the context of a Privilege Escalation attack?

Every computing system has to take into consideration its integrity and security, even if it is not oriented towards specifically safety-critical applications. In that respect, it is reasonable to have some kind of mechanism that asserts that only certain verified entities can do some specific actions, like read and write sensitive data:

Privilege Rings

In most systems, this idea is implemented with a “Users” mechanic. Each user has their own set of “privileges”, meaning they each have access to a subset of the system’s data and functionality. If some user tries to perform an action outside their privilege level, they are greeted with some error message. In some systems, like the Linux OS, there also exists a mechanism to grant a user access to specific functionality outside their privilege levels – e.g., the “sudo” mechanism in Linux.

4. How Do Privilege Escalation Attacks Work?

A bunch of different techniques can be used throughout this process. Typically an attack begins with the attacker gaining an initial foothold on the target system. This is usually some minor vulnerability that can be remotely exploited, such as a bug inside a running program on the system.

Having this initial foothold, the attacker then tries to use it to gain other privileges, either on the same system or on a different computer on the network. This depends on the availability of vulnerable targets on the system and the network, the defense mechanisms that are in place as well as the final purpose of the attack – spreading malware on a whole network takes a different list of steps than gaining root access on a single machine.

At this point, it would be beneficial to take a look at some of the techniques used within those attacks, so let’s do that.

4.1. URL Manipulation

Malicious users create false URLs or hijack legitimate ones and try to get users to click on them, expecting to find the standard website. After the click, they could try to download malware to your system and – depending on your antivirus awareness – succeed.

4.2. Phishing Attempts

A call we get from someone who claims to be our supervisor, an employee at our SIM card provider, or our account manager at our bank that tries to get us to disclose information such as our email and password pairs. Lately, with the rise of two-factor authentication, phishing attempts also incorporate trying to get the two-factor authentication codes from the victim.

4.3. Technical Attacks

Brute-forcing login credentials is a long-standing and well-known type of attack that depending on our password strength, can yield results – one more reason for us to be extra careful and always choose strong passwords. Also, if an initial foothold is gained on the system, the natural next step would be to scan for existing vulnerabilities and exploit those, something the user can’t do more about other than trying to keep our system updated.

4.4. Account Manipulation

Due to the fact that there are several ways to gain access to one of our accounts in case we forget our credentials, attackers also get a chance to try to use this to our disadvantage. By pretending to have forgotten their password, they may be able to guess or reverse engineer the answers to our security questions or use already compromised email accounts or leaked credentials to gain access.

Those are just some methods, but the success of an attack lies with the specific system, its defense level, and the existing underlying threats. After all, no two systems are identical when trying to break into them.

5. Horizontal vs. Vertical Privilege Escalation

There are two major types of these attacks, known as Horizontal and Vertical Privilege Escalation. Their difference lies with the final target of the attacker. Let’s take a closer look.

5.1. Horizontal Privilege Escalation

In Horizontal Privilege Escalation, the attacker has no reason to seek to further escalate their privileges to a higher user, like the root of the system. The target of the attack is to hijack the user account of someone and use it maliciously. The benefits coming from these types of attacks can be anything from identity theft to stealing credentials saved within the account and personal banking information. For example, in horizontal privilege escalation, the attacker tries to compromise other similarly privileged accounts:

Horizontal Privilege Escalation

5.2. Vertical Privilege Escalation

In Vertical Privilege Escalation, the attacker initially gains access to a lowly privileged account and uses it to try to gain access to higher levels. By using the access of this account, the malicious user could log in to services this account has access to and try to gain entry to the administrating features of the service, e.g., an online website or a locally running service. This attack, if successful, owes its success to the privilege level of the underlying account, which was earlier compromised:

Vertical Privilege Escalation

In summary, Horizontal Escalation is when the attacker uses the hijacked account for what it already is and logs, for example, into services with it to withdraw information. Whereas in Vertical Escalation, the hacker uses the account’s low privileges as a tool to gain access to a different security access level – i.e., logs into a place they didn’t have access to before and tries to hack through.

6. Preventing Privilege Escalation Attacks

As with all things cybersecurity, staying safe from such attacks is a matter of 2 things: Prevention and Detection.

Prevention is mainly a matter of user awareness. It is generally recommended in all aspects of using a personal or otherwise sensitive device connected to the internet. Prevention encapsulates – with regards to daily usage – things like having strong and different passwords, being careful with emails and email attachments, making sure you use encrypted connections to send sensitive data, or not trusting open, unencrypted internet connections. It also includes the system defenses that a user should actively take care of, like keeping our system up to date to keep up with all the latest patches, for reasons discussed above.

On the other hand, with Detection, we consider the system’s capability of protecting itself after some vulnerability has intruded. This is where strong antivirus software comes into play. Further than that, any other attempt at detection is highly customized and mainly used in industrial systems, with internally built tools and software to battle such attacks.

Finally, designers usually follow the “Principle of Least Privilege” when designing systems to enhance security. Shortly, this design principle states that every entity – be it a user, a program, a piece of hardware, a whole system, and so on – must only have access to the resources and information it vitally needs for its intended purpose and no more than that. This acts as a precaution so that in case of a breach, we are at least certain that the attacker has the minimum possible access inside our system. Therefore, they can do the least possible damage.

7. Conclusion

In this article, we looked at Privilege Escalation attacks – what they are and how they are usually performed. We took a look at some techniques used during these attacks, distinguished between the two main different types of these attacks, and talked a bit about the countermeasures needed. By looking into what makes these attacks up, we become a bit more aware of their existence and, hopefully, their mitigation. Stay safe out there!