Privilege escalation, why should I care?
Last Updated: 2013-05-22 16:10:59 UTC
by Adrien de Beaupre (Version: 1)
In my day job I spend about 90% of my time on the red team, performing vulnerability assessment and penetration testing. The rest is spent on threat research, incident response, and digital forensics. Interacting with clients as a consultant I often hear what I term 'interesting' responses. When a penetration tester calls something interesting you should probably pay attention :)
The IDS only listens external to the firewall? SharePoint is directly exposed to the Internet? The WAF protects against attacks therefore we don't have to fix the application? The VMs are all physically on the same host? The DMZ and the internal VLAN are physically on the same switch? You don't bother with privilege escalation patches? All quite interesting.
One of the responses I have heard multiple times is that privilege escalation vulnerabilities are a low priority because they require the attacker have local access. Meaning that that would be very difficult to pull off, therefore we don't have to worry about it. This also assumes that every single account holder is 100% gruntled all of the time, and that nobody ever makes a mistake. Meaning that we can trust everyone who accesses our networks and applications. Which I also find to be 'interesting' :)
There are multiple types of privilege attacks. The first is privilege escalation, where someone who has valid credentials or means to access a network or application can raise their level of access to a more privileged level. Like getting root on a Unix system for example, or becoming Domain admin before lunch on day 1, or assuming a higher role within an application. Impersonation attacks are similar however they entail becoming a different user, often with the same level of privilege, but with way more money in their account :) which soon finds its way to a non-extradition treaty country.
If the major difference between a remote exploit and a local one is that a network connection is required for the former, and not for the latter, does this mean that local priv escalation attacks cannot be performed across the network? Actually no. If an attacker can gain access to a system through a client side exploit, they may then effectively become the local user, and escalate to local system. Local system priv on a Windows computer is just a hop, skip, and jump away from being Domain administrator.
In a recent discussion about the priority to be assigned to patch one comment was "It's only a privilege escalation!". Yes, you are correct, and that is an interesting statement was my response.
Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
My SANS Teaching Schedule
If you have more information or corrections regarding our diary, please share.
Diary Archive
| Date | Author | Title |
|---|---|---|
| 2013-05-22 | Adrien de Beaupre | Privilege escalation, why should I care? (13 Comments) |
| 2013-05-21 | Adrien de Beaupre | Moore, Oklahoma tornado charitable organization scams, malware, and phishing (0 Comments) |
| 2013-05-20 | Johannes Ullrich | Ubuntu Package available to submit firewall logs to DShield (3 Comments) |
| 2013-05-20 | Guy Bruneau | Safe - Tools, Tactics and Techniques (0 Comments) |
| 2013-05-19 | Kevin Shortt | Port 51616 - Got Packets? (1 Comments) |
| 2013-05-17 | Daniel Wesemann | e-netprotections.su ? (3 Comments) |
| 2013-05-17 | Johannes Ullrich | SSL: Another reason not to ignore IPv6 (3 Comments) |
| 2013-05-16 | Joel Esler | Cisco TelePresence Supervisor MSE 8050 Denial of Service Vulnerability (1 Comments) |
| 2013-05-16 | Daniel Wesemann | Extracting signatures from Apple .apps (0 Comments) |
| 2013-05-15 | Joel Esler | Call for Papers - 4th annual Forensics and Incident Response Summit EU (0 Comments) |
| Search Diaries: | |

Complete Archive

