Remote Privilege Elevation

Remote privilege elevation can be classified to fall under one of two categories.
The first category is remote unprivileged access, allowing a remote user unauthorized
access to a system as a regular user.The second type of remote privilege
elevation is instantaneous administrative access.
A number of different vectors can allow a user to gain remote access to a
system.These include topics we have previously discussed, such as the filtering of
special characters by Web interfaces, code execution through methods such as
buffer overflows or format string bugs, or through data obtained from information
leakage. All of these problems pose serious threats, with the end result being
potential disaster.
Remote Unprivileged User Access
Remote privilege elevation to an unprivileged user is normally gained through
attacking a system and exploiting an unprivileged process.This is defined as an
elevation of privileges mainly because the attacker previously did not have access
to the local system, but does now. Some folks may scoff at this idea, as I once did.
David Ahmad, the moderator of Bugtraq, changed my mind.
One night over coffee, he and I got on the topic of gaining access to a
system.With my history of implementing secure systems, I was entirely convinced
that I could produce systems that were near unbreakable, even if an attacker were
to gain local access. I thought that measures such as non-executable stacks,
restricted shells, chrooted environments, and minimal setuid programs could keep
an attacker from gaining administrative access for almost an eternity. Later on that
evening, Dave was kind enough to show me that I was terribly, terribly wrong.
Attackers can gain local, unprivileged access to a system through a number of
ways. One way is to exploit an unprivileged service, such as the HTTP daemon,
a chrooted process, or another service that runs as a standard user.Aside from
remotely executing code to spawn a shell through one of these services, attackers
can potentially gain access through other vectors. Passwords gained through ASP
source could lead to an attacker gaining unprivileged access under some circumstances.
A notorious problem is, as we discussed previously, the lack of specialcharacter
filtering by Web interfaces. If an attacker can pass special characters
through a Web interface, the attacker may be able to bind a shell to a port on the
system. Doing so will not gain the attacker administrative privileges, but it will
gain the attacker access to the system with the privileges of the HTTP process.
Once inside, to quote David Ahmad,“it’s only a matter of time.”
Remote Privileged User Access
Remote privileged user access is the more serious of the two problems. If a
remote user can obtain access to a system as a privileged user, the integrity of the
system is destined to collapse. Remote privileged user access can be defined as an
attacker gaining access to a system with the privileges of a system account.These
accounts include uucp, root, bin, and sys on UNIX systems, and Administrator or
LocalSystem on Windows 2000 systems.
The methods of gaining remote privileged user access are essentially the same
as those used to gain unprivileged user attacks. A few key differences separate the
two, however. One difference is in the service exploited.To gain remote access as
a privileged user, an attacker must exploit a service that runs as a privileged user.
The majority of UNIX services still run as privileged users. Some of these,
such as telnet and SSH, have recently been the topic of serious vulnerabilities.
The SSH bug is particularly serious.The bug, originally discovered by Michal
Zalewski, was originally announced in February of 2001. Forgoing the deeply
technical details of the attack, the vulnerability allowed a remote user to initiate a
malicious cryptographic session with the daemon. Once the session was initiated,
the attacker could exploit a flaw in the protocol to execute arbitrary code, which
would run with administrative privileges, and bind a shell to a port with the
effective userid of 0.
Likewise, the recent vulnerability in Windows 2000 IIS made possible a
number of attacks on Windows NT systems. IIS 5.0 executes with privileges
equal to that of the Administrator.The problem was a buffer overflow in the
ISAPI indexing infrastructure of IIS 5.0.This problem made possible numerous
intrusions, and the Code Red worm and variants.
Remote privileged user access is also the goal of many Trojans and backdoor
programs. Programs such as SubSeven, Back Orifice, and the many variants produced
can be used to allow an attacker remote administrative privileges on an
infected system.The programs usually involve social engineering, broadly defined
as using misinformation or persuasion to encourage a user to execute the program.
Though the execution of these programs do not give an attacker elevated
privileges, the use of social engineering by an attacker to encourage a privileged
user to execute the program can allow privileged access. Upon execution, the
attacker needs simply to use the method of communication with the malicious
program to watch the infected system, perform operations from the system, and
even control the users ability to operate on the system.
Other attacks may gain a user access other than administrative, but privileged
nonetheless. An attacker gaining this type of access is afforded luxuries over the
standard user, because this allows the attacker access to some system binaries, as
well as some sensitive system facilities. A user exploiting a service to gain access as
a system account other than administrator or root will likely later gain administrative
privileges. These same concepts may also be applied to gaining local privilege elevation.
Through social engineering or execution of malicious code, a user with local
unprivileged access to a system may be able to gain elevated privileges on the
local host.