• United States



CSO Senior Writer

Privilege escalation explained: Why these flaws are so valuable to hackers

Jul 07, 202011 mins
Access ControlAuthenticationSecurity

Attackers use privilege escalation flaws to gain access to systems and applications. Patching and monitoring are the most important ways to stop them.

access control / authentication / privileges / security / key
Credit: Cybrain / Getty Images

Privilege escalation definition

Privilege escalation vulnerabilities are security issues that allow users to gain more permissions and a higher level of access to systems or applications than their administrators intended. These types of flaws are valuable for attackers because they’re needed for full exploit chains but can be overlooked by defenders or developers because of their lower severity scores.

In general, any violation of an intentional security boundary can be considered a privilege escalation issue, including gaining kernel access from a user application in an operating system, escaping a virtual machine to access the underlying hypervisor, gaining domain administrator access from a workstation, or gaining privileged roles in public clouds by exploiting misconfigurations.

Why privilege escalation flaws are dangerous

In the security community, a lot of attention is put on vulnerabilities that can result in arbitrary code execution, especially those that can be exploited remotely — remote code execution (RCE). These flaws tend to have the highest severity scores, but part of the reason for this is historical, with defenders traditionally focusing on preventing hackers from gaining access to their systems in the first place.

While this continues to be important, in the modern threat landscape hackers can gain access to a system in a variety of ways, not just by exploiting RCE flaws. Phishing emails with malicious attachments remain one of the most common ways attackers break into networks while taking advantage of weak or stolen credentials is another popular method.

Because of the human behavior element, which is hard to control through technical means, the defense mindset has shifted in recent years from threat prevention to threat detection and containment. Prevention is still important, but security planning is now built on the premise that attackers will likely gain access to a system in one way or another. The ability to limit the impact of unauthorized access is therefore seen as vital to enterprise security as is preventing unauthorized access.

Operating system and application developers have made great strides to both prevent the exploitation of certain types of memory corruption flaws and contain the damage if it happens. This is why there’s been so much talk over the past decade about least-privilege principles, zero-trust network architectures, application sandboxing, kernel memory space isolation, virtualization and containerization, splitting up monolithic applications into microservices and other such techniques.

It’s rare these days to find an RCE vulnerability in an application that, just by itself, could lead to a complete compromise of the underlying system. Modern attacks require exploit chains that combine different vulnerabilities — for example, a memory safety bug to achieve arbitrary code execution, an information leak to bypass memory randomization defenses like ASLR, and a privilege escalation issue to gain full system access. Privilege escalation flaws are therefore critical to attacking modern applications and operating systems and hackers are willing to pay a lot of money for them.

Exploit acquisition platform Zerodium is offering $10,000 for an antivirus local privilege escalation, $80,000 for a privilege escalation in Windows and $200,000 for a VMware virtual machine escape. More importantly, many of the application-specific exploit chains the company buys, such as those targeting browsers and mobile operating systems where processes are sandboxed, always require a remote code execution combined with a privilege escalation. A Chrome RCE + LPE chain costs up to $500,000 and a WhatsApp RCE+LPE chain costs $1.5 million.

How common are privilege escalation vulnerabilities?

The attack surface for privilege escalation vulnerabilities is large when it comes to operating systems. There are many OS services, drivers and other technologies that run with system privileges and expose functionality to userspace applications through APIs. If access to those capabilities is not properly controlled and restricted, attackers can leverage them to perform privileged tasks.

Researchers from security firm CyberArk recently found a privilege escalation vulnerability in Windows Group Policy, the primary mechanism for centrally managing the settings of Windows computers and users in Active Directory environments. The flaw affected all Windows versions starting with Windows Server 2008 (which was released 12 years ago) and was the result of an improper access check in the policy update routine. Previously, the company found over 60 privilege escalation flaws across products from major vendors as part of a year-long research project.

Many privilege escalation issues fall in the category of logic or design flaws rather than code bugs, but while code vulnerabilities can be prevented by developers adopting secure programming practices, logic flaws are the result of failing to consider the security implications of legitimate features or functionality. This behavior is much harder to correct and requires a shift-left mentality — bringing security early into the design stage of development.

According to the latest report on the state of vulnerabilities released by the European Union Agency for Cybersecurity (ENISA), weaknesses related to permissions, privileges and access controls were the sixth most common source of vulnerabilities and the fourth in terms of severity score. In terms of popularity of attacker techniques based on MITRE’s ATT&CK framework, privilege escalation was the third most common one after persistence and defense evasion.

Microsoft’s monthly security bulletins frequently include patches for privilege escalation flaws found in services and system drivers, but third-party drivers created by hardware component manufacturers are plagued by similar issues.

Last year, researchers from security firm Eclypsium found vulnerabilities and design flaws in 40 Windows drivers from over 20 different hardware vendors. More recently, the researchers disclosed a vulnerability in a driver commonly used in ATMs and point-of-sale devices from financial device manufacturer Diebold Nixdorf, highlighting the risk of such flaws to embedded devices that have a long shelf life and are hard to update. The Linux kernel and other Linux utilities have been plagued by high severity privilege escalation vulnerabilities over the years, too, so this is not just a Windows ecosystem problem.

“Most of the time they’re architectural vulnerabilities and not implementation ones,” Jesse Michael, principal researcher at Eclypsium tells CSO. “But because developers didn’t understand how the architecture itself or the design can be misused, they built something that’s fundamentally insecure. The resulting code doesn’t technically have a vulnerability and just does what they intended it to do, but it does it for everybody, not just their specific application.”

Another large attack surface for privilege escalation is DLL hijacking or DLL preloading. This refers to applications attempting to load dynamic link libraries (DLLs) without specifying a fully qualified path. In those cases, Windows automatically searches for those DLLs in various predefined locations in a particular order, so if attackers manage to place a malicious DLL with the correct name in a location that’s earlier in the search path than the legitimate DLL, the applications will load the malicious one instead. If those applications, or services, happen to run with elevated privileges, the malicious code will inherit their permissions.

In many cases the loading of DLLs is conditional, for example “search for this DLL and load it if it exists to extend the application’s functionality,” which is common for application plug-ins and external modules. In many cases, the searched-for DLLs might not exist by default and attackers can place a malicious one anywhere in the search path where they have access. Microsoft provides guidance for developers on how to avoid some of these pitfalls, but DLL hijacking attacks remain prevalent.

“There are thousands of them that we see every day,” Shay Nahari, head of Red Team Services at CyberArk, tells CSO. “Microsoft does provide a solution, but it’s very hard to specify the location every time you load a library. Even if you do it the right way, there are still things beyond your control. It’s just the fundamental way in which Windows programs operate, so DLL hijacking is definitely still valid and it’s probably the biggest source of privilege escalation in Windows that we see today.”

Types of privilege escalation

Like arbitrary code execution, privilege escalation issues can be local or remote, depending on the type of access available to the attacker. However, they can occur at the application level, where an attacker gains administrative access to an application from a lower-privileged user; at the OS level, when the attacker gains kernel or system-level access from a restricted user account; at the domain level, when the attacker manages to gain domain administrator in a Windows Active Directory network; and even across network boundaries, from a local network to the cloud.

OS-level privilege escalation often receives the biggest attention, but access control issues that allow attackers to move laterally through networks and gain domain access are also often exploited in attacks. Similarly, cloud infrastructure misconfigurations where applications or virtualized servers run with more privileges than they require are common. “At the domain level the biggest privilege escalation vector that we have seen and exploited to gain domain admin without hours almost every single time, are service accounts,” Nahari says.

In an Active Directory network any user can request a service ticket for any resource in the domain, even if they don’t have privileges to access it. The service tickets are encrypted with the password of the user or service account, so technically they can’t be used directly by unauthorized users. However, they can be cracked offline with brute-force techniques without risking the account being blocked.

“When you look at big organizations, you’re probably going to have hundreds of such service accounts available and any user can request service tickets for all those accounts and then try to crack them offline,” Nahari says. “I guarantee you will successfully be able to crack at least one or two, which means you’ll probably gain domain admin in a matter of minutes. This is not a new attack, but it’s extremely efficient and very common in almost any organizations we’re testing today.”

At the cloud level, the most common causes for privilege escalation is the use of overly permissive identity and access management (IAM) roles. Any user of a box provisioned in the cloud, regardless of cloud provider, can request a metadata URL that will contain the credentials of the IAM role that provisioned that box. According to Nahari, this is by design, and eight out of ten times the IAM role that was used to provision a server will be powerful and potentially even provide access to the organization’s entire cloud infrastructure. These issues are often the result of automated provisioning of cloud servers where administrators took the easiest approach, despite warning from cloud providers on the proper use of IAM roles.

What this means in practice is that a simple web application vulnerability that allows an attacker to perform requests from inside the local machine can potentially become a full compromise of the entire cloud infrastructure because of improper use of IAM roles, Nahari says.

Privilege escalation issues can also be catalogued as vertical or horizontal. Vertical privilege escalation is when the attacker manages to gain more privileges than those of the account they already have access to, like gaining access to a more privileged account such as an administrator. Horizontal privilege escalation is when the attacker manages to gain access to the resources of a different user that has the same privileges as their own account, but whose resources are supposed to be protected from other users.

How to defend against privilege escalation

When it comes to OS-level privilege escalation vulnerabilities, it’s vital to install security patches as soon as possible, not only for the OS, but for all third-party applications used on the system.

Application whitelisting technologies can be used to restrict which programs may run on a system, enabling organizations to reduce a machine’s attack surface. Making sure that unneeded services are turned off and that unused hardware components and drivers are disabled is also very important.

According to Nahari, organizations should focus their monitoring on privileged access because their security model should assume that code is already running without authorization on at least one machine in their networks, regardless of how that might have happened. “It’s hard to monitor every time a user runs something on any device, but it’s relatively easier to monitor what is using privileged access in your domain,” he says. “So, I think this is a good opportunity for organizations to kind of narrow down their detection and prevention.”

CyberArk has released various open-source tools that can be used to detect DLL hijacking, find shadow admins in AD environments, manage secrets and application identities, scan Kubernetes clusters for risky permissions and more. Other commercial products and free tools can scan cloud deployments for insecure configurations including IAM roles.

After designing their networks and cloud infrastructures following least privilege principles, organizations should regularly hire external security teams to perform penetration testing with a focus on privilege escalation. Since most automated attacks rely on exploit chains that combine multiple vulnerabilities, breaking one link in that chain can prevent the whole attack from succeeding.