Want to better understand what Privilege Escalation is and how it can affect application security?
The Privilege Escalation vulnerability is known to occur when the operating system or application becomes vulnerable, thereby allowing a user to use another user’s privileges to access that system.
But to really understand what happens in this scenario, we need to understand how protection takes place and how privileges are used within a system.
Therefore, in this article, we will cover how exploiting faults in this protection can compromise the security of applications, and how to prevent them.
You can also listen to the audio version of this article:
Understanding Privilege Escalation in Application Security
In recent articles, we have talked about some vulnerabilities that we find interesting in the Application Security context.
This, in no way, wants to place criticism and importance on these vulnerabilities addressed, only bringing the theme for further reflection on the subject.
That being said, today we are going to address a bit of a vulnerability we can find in a large number of applications. Let’s talk a little bit about Application Security Privilege Escalation.
But to talk about Privilege Escalation, we first need to understand what it is and what impacts this type of vulnerability can have on our applications.
In a search at MITER website for Privilege Escalation, a total of 1389 vulnerabilities can be found – quite a considerable number for a vulnerability.
MITER is a nonprofit organization that manages federally funded researches and development centers (FFRDCs) that supports the US government.
Therefore, we can realize the importance of this vulnerability. Let’s continue and better understand what Privilege Escalation is.
What is Privilege Escalation in Application Security
In short, the Privilege Escalation vulnerability happens when the operating system or even application is vulnerable, allowing one user to access the same level of privilege as another.
This is the simple view of vulnerability.
But, to understand what happens, we must first understand how protections are given and how privileges are used within a system.
Computer systems are usually built for multiple users, each with their own specific area and privilege.
But some privileges are common to all, such as reading and writing in some features.
This construction is based on a system called Protective Modes, which acts as a limit of action of users or resources within the systems.
Therefore, each feature or application, for example, has a permission limit.
This limit is often exemplified by concentric circles, showing that moving from one level to another needs more permissions – moving from zone A to zone B, for example.
In the following image, you can see an example of privileges being illustrated by rings, with each color – from the outside in – the escalation of higher privilege.
However, it is important to note that in this article we will not go deep into the concept of protection – or protection modes – but only show that there is a division and control over who and when they can use system resources.
Therefore, it is on principle of protection rings that controls are based on permissioning for systems base, and they can be exploited if applications and systems are not properly protected.
Privilege Escalation Format
When exploiting a Privilege Escalation vulnerability within an application, there is a violation of permissioning or even validation controls of which user is performing an action.
When there is a violation, the vulnerability can be exploited in two ways: vertically and horizontally. Let’s explain each one further below.
1. Vertical Privilege Escalation
This type of exploit happens when a user with a lower privilege level can perform actions with privileges above their level.
Therefore, this exploit can also be called an elevation of user privileges.
2. Horizontal Privilege Escalation
This type of exploit happens when a user can access other users’ roles at their same level of privilege, but would initially not be accessible to them.
Remember, when we refer to a user, it can also be a system or other application – that is, it is not necessarily a person.
How does Privilege Escalation work?
Well, now that we have seen what a Privilege Escalation vulnerability is, let’s see how it works, and what would be the best ways to act preventively.
Privilege Escalations attacks are usually one of the first steps taken by attackers to make a larger attack.
As we mentioned above, there are two possibilities for Privilege Escalation attacks, one focusing on changing peer permission, and the other gaining user privileges above the current user level.
So horizontal type attacks are used when there is an interest in obtaining information that the base user may not have access to.
That is, with this type of attack, the attacker would have access to data and information that can serve as a source for the next steps.
On web systems, for example, this type of attack would be the compromise of another peer, but with different permissions than the current user.
Imagine this horizontal attack on an e-commerce system, for example, or even on an internal business management system.
With this, the possibility of having access to other information is enormous.
However, the most dangerous type of attack usually ends up being vertical privilege escalation, where the attacker can compromise the system and gain access to user privileges above his current one.
This type of attack, which is also known as Elevation of Privilege, is very common when searching for users as administrators on Windows systems, or root users on * UNIX systems.
The potential impact of this type of attack is enormous since by gaining access as an administrator user, regardless of Windows or * UNIX systems, the attacker would have full control over the system.
Mitigation Suggestion
Now that we have seen the possibilities of vertical and horizontal attacks, as well as the ability of such an attack to compromise system security, let us focus on mitigations that concern application solution implementation.
Importantly, when it comes to Privilege Escalation in the Application Security scenario, risk mitigation should always be thought of from the inside out.
A culture of Continuous Security and the spread of a Secure Development program through training, and the formation of a Security Champions team will always be the best allies to keep the alert level high among those involved with Application Security.
1. Validate control access
Basically, when we have a privilege escalation, it was through violation of permissions in applications.
This means that the access control validation process has failed.
And in web applications, this is more present when the validation of this access control takes place on the less secure side of the application, which is the user.
Validations of data and/or entries that are critical to the system should never be done on the client-side, and this is true for all aspects of security.
When systems are built to validate client-side data and then transmit it to the server, it may be affected by data manipulation by an attacker.
2. Always establish the least of the privileges
In order to avoid privilege escalation, we need to understand that the implementation of permissions on systems is basically done using a permission matrix, and these permissions must be related to functions that can be performed – always being as little as possible and necessary.
In the example above, we can see how previously defined functions are related to some specific permission that can be performed.
These permissions can be commands, actions or even access.
Thus, as we can see in the next image, these roles would be related to a user, who would have the permissions related to his role.
Therefore, as we imagine, the intersection between the user and the role determines which permissions the user has access to. Breaking this relationship or misapplying this relationship allows a Privilege Escalation attack.
Therefore, one of the ways to mitigate Privilege Escalation attacks is to correctly implement an access control system.
The least privilege concept by OWASP
Testing on systems is of the utmost importance, and OWASP recognizes and offers help to support the testing.
Therefore, in this document OWASP shows a small example of how the least privilege concept can be understood and used to mitigate Privilege Escalation vulnerability.
The OWASP Testing Guide is a set of documents that helps developers perform a series of tests on their applications, one of which is Privilege Escalation related and is a highly recommended read.
2. Keep Server Side validation
The simplest way to avoid Privilege Escalation and maintain Application Security is to not transmit sensitive data to the client-side.
So using this approach means that the only thing that will be transmitted and received from the client-side will be the user session ID.
By keeping data on the server-side, the possibility of altering the data is eliminated by not allowing malicious data to be sent to the system.
However, this is not always possible, so we need to understand what we are transmitting and how we can protect this data.
It is important to look for a way to keep as much sensitive data as possible being used and processed only on the server-side so that only the result is delivered to the user.
While this is a security approach to the application, maintaining server-side data brings a number of challenges.
Persistent session maintenance, for example, is one of these challenges, as well as the validation of each HTTP request itself.
Therefore, the implications of this type of protection should be carefully considered as they will impact system performance.
Nevertheless, we understand that such an approach is necessary for systems that operate in critical markets and can be highly targeted.
3. Be aware of cookies
The safest way to use cookies is through digital signature mechanisms of the transmitted data.
For this, it is possible to use in modern frameworks the digital signature of data, ensuring that the data has not been changed when transmitted.
In frameworks like node.js, this can be done using cookie-parse via secret.
This type of approach ensures data integrity while keeping data visible to the user.
Understand that, using this digital signature approach, both the HTTP response and the request still carry the entire session.
However, it is important to remember that extra care must be taken not to store too much data in the sessions.
After all, remember that by doing so, the responsiveness of the site may be affected, as with a large amount of data stored, the need for response processing will also increase.
This will decrease the attacker’s chance to exploit Privilege Escalation and increase Application Security as access to the exchanged data will be much more difficult.
4. Implement data cryptography
If you want the session state to be more robust against change and to ensure the confidentiality of the data being transmitted, you will need to use encryption.
However, understand that using encryption will put extra effort into processing your application – and it has to be pre-planned for your system.
In this process, you will need to encrypt each request and decrypt each response.
This ensures the security and confidentiality of exchanged data, making Privilege Escalation difficult.
What to expect?
This article is not meant to be a single reference document, because here we have just introduced the topic of Application Security Privilege Escalation.
Therefore, we seek to draw attention to the problem and point out some basic precautions that should be taken in order to avoid this type of exploitation.
We also hope to spur the search for more information about Privilege Escalation and other vulnerabilities, and that this can increasingly bring security to your applications.
