CALL US

+91 8219776763

What is Privilege Escalation? What is Privilege Attacks?

What is Privilege Escalation?

By Prempal Singh 0 Comment August 10, 2019

Privilege escalation is that attack in which an attacker exploits a software bug to gain access to a resource that is usually protected by the application or user, which leads to a change in privileges for malicious actions that are carried out with greater privileges than expected application developer and system administrator. Known attacks of this type can be divided into two categories:

1. Vertical privilege escalation – from user to superuser:

A low-privileged user with a regular account in the system uses software vulnerabilities to access functions or data that are accessible only to more privileged users or superusers.

2. Horizontal privilege escalation – from a non-user of a system to a user:

An ordinary user with normal access or without any account in the system uses some vulnerability of the system or software in order to gain access to functions or content accessible to other ordinary users. Some examples of well-known privilege escalation attacks are described in this article.

Buffer overflow attacks

A buffer is a contiguous section of memory, such as an array or pointer in C. A common occurrence is that the software does not automatically check for buffer boundaries. An overflow occurs when a program or process tries to store more data in a buffer than has been reserved for storage. Since buffers are created to store a finite amount of data, redundant information must be written somewhere, which leads to writing to neighboring memory cells, and thereby spoils and overwrites the data stored in them. To perform a buffer overflow attack, this vulnerability is used and code is placed in neighboring cells that an attacker is trying to execute in a buffer overflow zone. The attacker then overwrites the function return address so that it points back to the buffer and executes the code.

The widely known buffer overflow attack was carried out on Microsoft Outlook and Outlook Express in 2000. Due to a mistake in the code made by Microsoft, the attackers were able to execute any code on the victim computer simply by sending an email. Unlike other typical mail viruses, users could not protect themselves without opening the attached files, since the vulnerability was in the message header processing algorithm, therefore, the malicious code was executed on the system at the very moment the message was downloaded from the server. Some other well-known buffer overflow attacks to elevate privileges used Sendmail, which overflows the buffer in the Sendmail (SMTP) MIME decoding algorithm on Linux and IMAP systems,

Typical countermeasures for buffer overflow attacks include writing safe code, ensuring the stack is not executable, and built-in security checks in the compiler. However, none of these solutions can completely eliminate the problem of buffer overflow due to the standard C programming language framework and lack of programming experience of a software developer.

Typical countermeasures for buffer overflow attacks include writing safe code, ensuring the stack is not executable, and built-in security checks in the compiler. However, none of these solutions can completely eliminate the problem of buffer overflow due to the standard C programming language framework and lack of programming experience of a software developer.

Incorrect configuration attacks

Each security system must be configured by the administrator for some parameters in order to apply the necessary part of the security policy and ensure that the system provides only the functionality that users need. As a rule, this means turning on only the necessary parts of the system and turning off the others. A problem may occur when the administrator forgets to disconnect parts of the system that are unnecessary for the user. Any incorrect or incomplete system configuration can be used by cybercriminals in order to overcome a protective barrier or to learn about a possible vulnerability in the system. As a result, an incorrect system configuration or a software update not installed in time, has become one of the most significant vulnerabilities of enterprises that have been faced recently, and the forecast shows.

Some well-known examples of such attacks are brute-force attacks on FTPWrite. The attacker knows the username and selects a password from the list of possible passwords. If the administrator does not change the default username and password, guessing the possible passwords will be very easy. A brute-force attack can be detected and prevented by setting the maximum number of failed login attempts for each service or, if necessary, inserting some delay between two consecutive login attempts. Another FTP attack is the use of a guest account. If the rights of the guest user and directories are incorrectly configured, the guest will be able to create and upload files to the directories of other users and the superuser, for example, the rhosts file, which will allow an attacker to gain access to the system with greater rights than the guest account is available. Monitoring guest accounts and tracking the files they create will easily stop this kind of attack.

Man-In-The-Middle Attack

The Man-In-The-Middle (MITM) attack is a form of active interception in which an attacker controls the entire dialogue between the victims, making an independent connection with each victim, transmitting messages between the victims and imitating that they speak directly to each other privately. In order to conduct a successful MITM attack, the attacker must be able to intercept all messages between the two victims, introduce new ones and impersonate each endpoint. Although most cryptographic protocols or some other form of endpoint authentication mechanism can prevent MITM attacks, they are still often used by an attacker in any network, for example, attacks on users on a public wireless network.

A strong encryption mechanism is the best countermeasure against MITM attacks, such as using SSH instead of Telnet, file encryption mechanisms (such as PGP or Entrust), or session checksum.

error: Content is protected by Cyberops !!