Privilege escalation, why should I care?

Privilege escalation, why should I care?
In my day job I spend about 90% of my time on the red team, performing vulnerability assessment and penetration testing. The rest is spent on threat research, incident response, and digital forensics. Interacting with clients as a consultant I often hear what I term 'interesting' responses. When a penetration tester calls something interesting you should probably pay attention :) The IDS only listens external to the firewall? SharePoint is directly exposed to the Internet? The WAF protects against attacks therefore we don't have to fix the application? The VMs are all physically on the same host? The DMZ and the internal VLAN are physically on the same switch? You don't bother with privilege escalation patches? All quite interesting. One of the responses I have heard multiple times is that privilege escalation vulnerabilities are a low priority because they require the attacker have local access. Meaning that that would be very difficult to pull off, therefore we don't have to worry about it. This also assumes that every single account holder is 100% gruntled all of the time, and that nobody ever makes a mistake. Meaning that we can trust everyone who accesses our networks and applications. Which I also find to be 'interesting' :) There are multiple types of privilege attacks. The first is privilege escalation, where someone who has valid credentials or means to access a network or application can raise their level of access to a more privileged level. Like getting root on a Unix system for example, or becoming Domain admin before lunch on day 1, or assuming a higher role within an application. Impersonation attacks are similar however they entail becoming a different user, often with the same level of privilege, but with way more money in their account :) which soon finds its way to a non-extradition treaty country. If the major difference between a remote exploit and a local one is that a network connection is required for the former, and not for the latter, does this mean that local priv escalation attacks cannot be performed across the network? Actually no. If an attacker can gain access to a system through a client side exploit, they may then effectively become the local user, and escalate to local system. Local system priv on a Windows computer is just a hop, skip, and jump away from being Domain administrator. In a recent discussion about the priority to be assigned to patch one comment was "It's only a privilege escalation!". Yes, you are correct, and that is an interesting statement was my response. Cheers, Adrien de Beaupré Intru-shun.ca Inc. My SANS Teaching Schedule	Adrien de Beaupre 353 Posts ISC Handler
Subscribe	May 22nd 2013 6 years ago
Adrien, could you provide us with some links discussing these other problems you mention in the second paragraph? I know of at least one reader (who could that be?) that currently has some of those issues. It would be useful to see some discussion that would help justify fixing those problems.	JimC 17 Posts
Quote	May 22nd 2013 6 years ago
Hi Jim C, they are all interesting in that in my experience each has led to more than one significant breach. Either with me as a pentester, or as incident management lead. In all cases the client had a bad day. Each one is deserving of a diary article and lengthy discussion pro and con. Cheers, Adrien	Adrien de Beaupre 353 Posts ISC Handler
Quote	May 22nd 2013 6 years ago
The theme these days is hard exterior soft interior. Not applying priv escalation patches helps ensure you have a soft interior. With a hard exterior what makes a remote XP/Vista/7/8 vulnerability different than a local privilege escalation? No one from the internet can remotely hit the workstations to exploit them. The main attack vectors seem to be client side exploit or via email whether it exploits software or is just a malicious attachment. This leaves the attacker with the same access the user has, if the user is administrator then patching privilege escalation vulnerabilities probably isn't a priority. If the user is restricted then the next step is local priv escalation or exploit other hosts on the network which usually results in priv escalation.	Adrien de Beaupre 1 Posts
Quote	May 22nd 2013 6 years ago
Adrien, Great posting. I think you address something that is at the heart of our challenge as InfoSec professionals: admins and other "IT Professionals" do not think past one dimensional, and single event/step issues. They often fail to see the 'domino effect' of single weaknesses, nor do they see the multiple vectors from which an vulnerability can be exploited. More than half our job is to educate data and system owners of these. InfoSec truly is a collaborative discipline.	IMFerret 10 Posts
Quote	May 22nd 2013 6 years ago
I think what's not being taken into account is patching and the other risks that are being considered. While it's easy enough to say that it's "interesting" someone would choose to prioritize a PE vulnerability as low, it might be in favour of re-mediating a critical vulnerability on an exposed host. The risk and likelihood of an exposed host being exploited would generally seems to be much higher. If it came down to a choice between fixing a PE vuln or a vuln which may allow something like SQLi. I think I would choose the latter and then follow-up with the PE vuln afterwards. Risk versus reward. All vulnerabilities should be addressed but unfortunately they have to be weighed you have to do what you can to get the most bang for you buck in the enterprise. If they choose not to flat out not patch or mitigate the vuln at all...now that I would find interesting.	karttoon 2 Posts
Quote	May 22nd 2013 6 years ago
As a production server sysadmin my response to OS level privilege escalation is why bother. If they can get to the place where they can run code, by attacking the OS or the single application, they have the valuable data within their grasp without using it. The production servers are isolated and even interior is hard to get at because I went way out of my way to make it so. Compromising the domain controller (which is not under my control) will not easily breach the production servers, and unless the attacker has been here for awhile he won't find out how. I worry more about certain engineers' workstations who haven't learned what it means to pick a strong password and have access to production.	karttoon 39 Posts
Quote	May 22nd 2013 6 years ago
@joshua: precisely. I gather the credentials/hashes/tokens/data by pillaging workstations. I don't hack the production servers. I just log in.	Adrien de Beaupre 353 Posts ISC Handler
Quote	May 22nd 2013 6 years ago
@Noot. Yes, there should be a conversation about risk, mitigation, cost, and level of effort. However in quite a few enterprises the decisions don't always follow a rational pattern when layer 8 gets in the way. Often leading to interesting decisions.	Adrien de Beaupre 353 Posts ISC Handler
Quote	May 22nd 2013 6 years ago
@ Ferret. Yes, attackers understand island hopping, good pentesters can demonstrate real risk using creativity. A sysadmin might only understand their little piece of the pie.	Adrien de Beaupre 353 Posts ISC Handler
Quote	May 22nd 2013 6 years ago
@Adrien +1 to circumventing all that fancy production security with a legitimate login.	Adrien de Beaupre 3 Posts
Quote	May 22nd 2013 6 years ago
One of the worst things a pen tester can do is use that stupid "traffic light" of High (red), Medium (yellow) and Low (green) in the final report. Too many people think Low (green light) means "Go!" or "I'm green and good to go" and they don't have to do anything. In this business "low" just means it might take a day or two to break in instead of a few minutes to an hour. Another worst thing is to not very explicitly spell out that you only tested a sample of the systems and every vulnerability found needs checked for on all systems. I can't tell you how many times I've heard from people "All we have to do is close the finding. Those other systems aren't part of the finding." And then we have the same finding a year later on different systems, some new and some old.	Anonymous
Quote	May 22nd 2013 6 years ago
In terms of vulnerability assessments, the most important part of the process is not the one-time patching/hardening of systems to address findings in a report... but instead, having a process in place that assesses and mitigates vulnerabilities on an on-going/routine basis. When I conduct a security assessment and the result is a report full of findings, I focus on implementing a vulnerability management process... not patching/mitigating each individual vulnerability. In theory, once the process is in place, the mitigation of vulnerabilities will become a natural part of the process. Of course, you will want to mitigate any critical findings, but the focus must remain on implementing a vulnerability management/security process. You can score 100% in a security assessment report (no findings) but then fail 6 months later. This quickly becomes a numbers game and is futile. The most important aspect of this is to manage security on an on-going basis and not a one-time basis.	da1212 69 Posts
Quote	May 22nd 2013 6 years ago
@JJ 3 words: scope, scope, scope. @Jacl: Good point!	Adrien de Beaupre 353 Posts ISC Handler
Quote	May 23rd 2013 6 years ago
Drives me crazy to see priv esc listed as less critical. I think this should be classified as critical or at least important.	@Miss_Sudo 12 Posts
Quote	May 24th 2013 6 years ago
@Joshua, re: "Compromising the domain controller (which is not under my control) will not easily breach the production servers" That's interesting. Compromising the domain controller implies that the password hashes for all users may be known by the attacker. Compromising the domain controller implies that the intruder may tamper with group policy settings to ensure that targetted keylogger malware gets deployed. If you're thinking compromise of the domain does not lead to possible compromise of any machine on that domain, I would hazard a guess that you are insufficiently imaginative.	Mysid 146 Posts
Quote	May 25th 2013 6 years ago
@Mysid: Agreed. Even if the production servers weren't joined to the domain the attackers would just move laterally to them anyway. That lateral movement would almost certainly involve privilege escalation at some point.	Mysid 3 Posts
Quote	May 26th 2013 6 years ago
Anyone who understands "defense in depth" also understands why they should care about vulnerabilities which can lead to a privilege escalation. The reverse is also true ;)	beamer 10 Posts
Quote	May 27th 2013 6 years ago