Privilege Escalation

Coleman Kane [email protected]

February 9, 2015

Security Vulnerability Assessment Privilege Escalation – 1 / 14 Introduction

Introduction Horizontal Privilege Escalation or Elevation is the act of gaining Escalation access to resources which were intended to be protected by Vertical Escalation HW Protection authorization mechanisms built into the targeted system. "Rings" Rings and OSs Generally, these are divided into two families: OS userland Running as non-root ■ Horizontal Running as root Vertical Escalation ■ Virtualization, or Vertical "Ring -1" Virtualization Model Hypervisors Cloud Computing

Security Vulnerability Assessment Privilege Escalation – 2 / 14 Horizontal Escalation

Introduction Horizontal Generally speaking, this type of escalation occurs when the Escalation human-computer or computer-computer interface is Vertical Escalation HW Protection intended to serve as "gate keeper" for access to "Rings" Rings and OSs internal-only resources on the system. In other words, the OS userland Running as attacker exploits flaws in the UI to gain unrestricted access non-root Running as root to everything that the underlying application would be able Vertical Escalation to access. Virtualization, or "Ring -1" Some examples: Virtualization Model Hypervisors ■ SQL Injection attacks Cloud Computing ■ XSS attacks

■ Escape to shell

Security Vulnerability Assessment Privilege Escalation – 3 / 14 Vertical Escalation

Introduction Horizontal Use of existing access (whether granted or illicit) to gain Escalation resource access beyond what the current user or role is Vertical Escalation HW Protection supposed to have access to. In many cases, the act being "Rings" Rings and OSs described is elevating from "normal user" to OS userland Running as "administrator" or "root" privileges on a system. non-root Running as root Examples: Vertical Escalation Virtualization, or ■ "Ring -1" Win7Elevate / UAC Bypass Virtualization Model ■ "setuid" root binary UNIX exploit Hypervisors Cloud Computing ■ Device Driver exploits

■ syscall exploits

Security Vulnerability Assessment Privilege Escalation – 4 / 14 HW Protection "Rings"

Introduction Horizontal Implemented by modern CPUs to enable arbitrary Escalation execution of native code while protecting systems Vertical Escalation HW Protection "Rings" ■ HW offers multiple run modes, or "rings", where Rings and OSs OS userland direct access to some features are permitted Running as non-root Running as root ■ Code "asks permission" to switch to more privileged Vertical Escalation Virtualization, or "ring" "Ring -1" Virtualization Model ■ HW verifies authorization criteria are met Hypervisors Cloud Computing ■ In most systems, 2 modes: Supervisor & User

■ Don’t confuse with "root"/"administrator" and "non-root" user processes

Security Vulnerability Assessment Privilege Escalation – 5 / 14 Rings and OSs

Introduction Horizontal General OS division of code execution: Escalation Vertical Escalation ■ HW Protection Supervisor: Bootloader, kernel code, device driver "Rings" code Rings and OSs OS userland Running as ■ User: Applications, user commands, event "root" user non-root Running as root programs Vertical Escalation Virtualization, or "Ring -1" Some exceptions include Windows NT & Mac OS X (XNU Virtualization Model kernel), which both can run "device drivers" as limited Hypervisors userland service applications that make kernel requests for Cloud Computing their device interactions. However, they continue to offer the option to run as supervisor as well.

Security Vulnerability Assessment Privilege Escalation – 6 / 14 OS userland

Introduction Horizontal Most OS’s conceptualize permission groups based upon Escalation "privileged" and "unprivileged" user accounts Vertical Escalation HW Protection "Rings" ■ Applications and services are executed by user, Rings and OSs OS userland retaining privileges of the starting user, with the Running as non-root option to "downgrade" permission for security Running as root Vertical Escalation ■ Virtualization, or OS provides "API" for secure device/resource "Ring -1" Virtualization interactions by user ring code Model Hypervisors ■ "Root" user typically granted access to whatever is Cloud Computing asked for, while "non-root" is forced to operate with a limited set of privileges

■ "setuid" and similar typically provide controlled temporary task-specific privilege elevation

Security Vulnerability Assessment Privilege Escalation – 7 / 14 Running as non-root

Introduction Horizontal Common non-root local-system privileges consist of: Escalation Vertical Escalation ■ HW Protection Starting new processes "Rings" Rings and OSs ■ Reading/writing data controlled by the user or OS userland Running as access-granted to the user non-root Running as root Vertical Escalation ■ Process mgmt for any processes running by that user Virtualization, or "Ring -1" Virtualization ■ Initiating network communications, or listening on Model Hypervisors TCP/UDP ports >1024 Cloud Computing ■ Access to local OS APIs & libraries

Security Vulnerability Assessment Privilege Escalation – 8 / 14 Running as root

Introduction Horizontal In addition to all non-root privileges, root generally has Escalation expanded privileges: Vertical Escalation HW Protection "Rings" ■ Adding/removing users, setting passwords, privileges Rings and OSs OS userland Running as ■ Read/write ANY file (regardless of whether access non-root Running as root explicitly granted) Vertical Escalation Virtualization, or "Ring -1" ■ Installing/removing device drivers Virtualization Model Hypervisors ■ Replacing programs, libraries, etc... Cloud Computing ■ OS grants special access when root uses APIs / libraries

■ Access to all devices, memory

■ Process management across entire system

Security Vulnerability Assessment Privilege Escalation – 9 / 14 Vertical Escalation

Introduction Horizontal This structure presents us with two common vectors to Escalation gain vertical privilege escalation: Vertical Escalation HW Protection "Rings" ■ Using OS APIs/syscall vulnerabilities to inject Rings and OSs OS userland arbitrary code into Supervisor mode Running as non-root Running as root ■ Using user-mode vulnerabilities in applications Vertical Escalation Virtualization, or running as "root" to inject arbitrary code/commands "Ring -1" Virtualization as "root" Model Hypervisors Cloud Computing

Security Vulnerability Assessment Privilege Escalation – 10 / 14 Virtualization, or "Ring -1"

Introduction Horizontal Virtualization is an increasingly popular feature of modern Escalation consumer CPUs, however it has been around for a long Vertical Escalation HW Protection time. This feature adds a new super-supervisor level to the "Rings" Rings and OSs management of the operating system(s). The isolation OS userland Running as enables a system owner to host multiple full OS’s with non-root Running as root fine-grained resource access control, where a complete Vertical Escalation compromise of one OS cannot escape into other hosted Virtualization, or "Ring -1" operating systems. Virtualization Model Hypervisors Cloud Computing

Security Vulnerability Assessment Privilege Escalation – 11 / 14 Virtualization Model

Introduction Horizontal Generally speaking, virtualization is facilitated by a Escalation hypervisor, which can be configured to selectively grant Vertical Escalation HW Protection access to the following resources (among others): "Rings" Rings and OSs OS userland ■ Number of CPU’s and % of CPU time Running as non-root Running as root ■ Upper bound on virtual-physical memory (HV will Vertical Escalation Virtualization, or allocate virt mem that VM thinks is physical mem) "Ring -1" Virtualization Model ■ Virtualized I/O devices Hypervisors Cloud Computing ■ Direct hardware access (controlled)

■ APIs provided by hypervisor available for each VM

Security Vulnerability Assessment Privilege Escalation – 12 / 14 Hypervisors

Introduction Horizontal Here are some examples of hypervisors: Escalation Vertical Escalation ■ HW Protection VirtualBox http://virtualbox.org (will frequently "Rings" be used for examples) Rings and OSs OS userland Running as ■ VMWare http://www.vmware.com non-root Running as root Vertical Escalation ■ Xen http://www.xenproject.org Virtualization, or "Ring -1" Virtualization ■ KVM http://www.linux-kvm.org Model Hypervisors Cloud Computing ■ bhyve http://bhyve.org

Some vulnerabilities: http://cromwell-intl.com/security/virtualization.html

Security Vulnerability Assessment Privilege Escalation – 13 / 14 Cloud Computing

Introduction Horizontal The isloation and abstraction layers in hypervisors are the Escalation primary elements enabling "cloud computing". This Vertical Escalation HW Protection provisioning approach also relies upon the inherent "Ring "Rings" Rings and OSs -1" security features to allow multiple customers the OS userland Running as flexibility of executing virtual systems on shared hardware non-root Running as root owned by a third party. However, some new exposure risks Vertical Escalation may present themselves if you are making assumptions Virtualization, or "Ring -1" common to traditional "bare metal" systems. Virtualization Model Hypervisors Cloud Computing

Security Vulnerability Assessment Privilege Escalation – 14 / 14