Privilege Escalation
Programs run in a context:
Their access rights and privileges are controlled by that context. Most
programs run in the context of the invoking user. If system access rights are
set up correctly, you can create, modify, or delete items you own, but critical
system objects are protected by being outside your context. Malicious code
writers want to be able to access not just your objects but those outside your
context as well. To do this, the malicious code has to run with privileges
higher than you have. A privilege
escalation attack is a means for malicious code to be launched by a user
with lower privileges but run with higher privileges.
A Privilege Escalation Example
In April 2006, Symantec
announced a fix to a flaw in their software (bulletin Sym06-007). Symantec
produces security software, such as virus scanners and blockers, e-mail spam
filters, and system integrity tools. So that a user's product will always have
up-to-date code and supporting data (such as virus definition files), Symantec
has a Live Update option by which the product periodically fetches and installs
new versions from a Symantec location. A user can also invoke Live Update at
any time to get up-to-the-minute updates. The Live Update feature has to run
with elevated privileges because it will download and install programs in the
system program directory. The update process actually involves executing
several programs, which we will call LU1, LU2, Sys3, and Sys4; LU1 and LU2 are
components of Live Update, and Sys3 and Sys4 are standard components of the
operating system. These four pieces complete the downloading and installation.
Operating systems use what is
called a search path to find programs to execute. The search path is a list of
directories or folders in which to look for a program that is called. When a
program A calls a program B, the operating system looks for B in the first
directory specified in the search path. If the operating system finds such a
program, it executes it; otherwise, it continues looking in the subsequent
directories in the search path until it finds B or it fails to find B by the
end of the list. The operating system uses the first B it finds. The user can
change the search path so a user's program B would be run instead of another
program of the same name in another directory. You can always specify a
program's location explicitlyfor example, c:\program files\ symantec\LU1to
control precisely which version runs.
In some releases for the
Macintosh, Symantec allowed Live Update to find programs from the search path
instead of by explicit location. Remember that Live Update runs with elevated
privileges; it passes those elevated privileges along to Sys3 and Sys4. But if
the user sets a search path starting in the user's space and the user happens
to have a program named Sys3, the user's version of Sys3 runs with elevated
privileges.
Impact of Privilege Escalation
A malicious code writer likes
a privilege escalation. Creating, installing, or modifying a system file is
difficult, but it is easier to load a file into the user's space. In this
example, the malicious code writer only has to create a small shell program,
name it Sys3, store it anywhere (even in a temporary directory), reset the
search path, and invoke a program (Live Update). Each of these actions is
common for nonmalicious downloaded code.
The result of running this
attack is that the malicious version of Sys3 receives control in privileged
mode, and from that point it can replace operating system files, download and
install new code, modify system tables, and inflict practically any other harm.
Having run once with higher privilege, the malicious code can set a flag to
receive elevated privileges in the future.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.