Authorization, an access control system, is all about administering and providing sensitive system access to a process or an application or a class of users based on their privilege level. Privacy and security concerns arise when system resources are accessed by an unauthorized process, application, or user.
Application and system developers always strive to incorporate secure authorization systems in their software. On the other hand, hackers come forth with new exploit techniques to elevate the access privilege associated with a specific process, system, or user. Many of the attacks start with an entry into the targeted systems with limited privileges and then an attempt to elevate privileges by exploiting a vulnerability in the OS itself or in third-party installations.
We conducted a short piece of research work on Elevation of Privilege (EoP) vulnerabilities using publicly available information on vulnerabilities discovered in operating systems, desktop applications and browsers. Interestingly the data indicates a significant rise in EoP vulnerabilities over the past two–and-half years.
From our research set on Microsoft Windows operating system vulnerabilities found over the time period mentioned earlier, we found that out of 700 vulnerabilities, 115 vulnerabilities were Privilege Escalation vulnerabilities, i.e. approximately 16%. It is clear from the research data set that attackers or malware writers are focusing more on EoP vulnerabilities to carry out their malicious attack as silently as possible.
Standalone exploitation of EoP vulnerability might not be sufficient for the attacker to achieve the required destructive behavior thus forcing the attacker to look for yet more vulnerability in the system to exploit.
The following is a list of commonly exploited Windows components:
| The Group Policy Service |
| Windows kernel-mode driver (Win32k.sys) |
| Cryptography Next Generation kernel-mode driver (cng.sys) |
| WebDAV kernel-mode driver (mrxdav.sys) |
| TS WebProxy Windows component |
| Windows User Profile Service (ProfSvc) |
| Microsoft IME |
| TypeFilterLevel Checks |
| Windows audio service component |
| Windows TCP/IP stack (tcpip.sys, tcpip6.sys) |
| Kerberos KDC |
| FASTFAT system driver, FAT32 disk partitions |
| Message Queuing service |
| .NET Framework |
| Windows Task Scheduler |
| Windows Installer service |
| DirectShow |
| Ancillary Function Driver |
| On-Screen Keyboard |
| ShellExecute API |
| TypeFilterLevel checks |
| Group Policy preferences |
| NDProxy component |
| Local Remote Procedure Call |
| Windows audio port-class driver (portcls.sys) |
| Hyper-V |
| USB drivers |
| Windows App Container |
| DirectX graphics kernel subsystem (dxgkrnl.sys) |
| Service Control Manager (SCM) |
| NT Virtual DOS Machine (Ntvdm.exe) |
| asynchronous RPC requests handling (Rpcss.dll) |
| TrueType font files handling |
| Windows Print Spooler (Win32spl.dl) |
| NTFS kernel-mode driver (ntfs.sys) |
| Windows CSRSS (cmd.exe) |
| Remote Desktop ActiveX control (mstscax.dll) |
| Windows USB drivers |
We see that the attackers often aim at a relatively highly destructive attack by exploiting privilege escalation and code execution vulnerabilities together.
Techniques employed by malware writer constantly evolve to achieve the desired privilege escalation undetected. There are many privilege elevation techniques publicly available online, such as:
- METHOD OF PROVIDING A COMPUTER USER WITH HIGH LEVEL PRIVILEGES, PATENT 7,945,947
- Exploiting The Known Failure Mechanism in DDR3 Memory referred to as Row Hammer to gain kernel privilege with the only “patch” being a replacement of the DRAM!
Sometimes it is simply not possible to patch a vulnerability.
Elevation of Privilege is not limited only to operating systems but is also witnessed in desktop applications, browsers, web applications and even in hardware. With the increasing popularity of Internet of Things across devices everywhere, the effect of exploiting an Elevation of Privilege vulnerability in just one of the links in Internet of Things could give the attacker complete control of the whole system.
Image courtesy of:
tompattersontalks.blogspot.in
Priyal Viroja, Vulnerability Researcher, K7TCL
If you wish to subscribe to our blog, please add the URL provided below to your blog reader: https://labs.k7computing.com/feed/
