Privilege escalation (original) (raw)

From Wikipedia, the free encyclopedia

Gaining control of computer privileges beyond what is normally granted

A diagram describing privilege escalation. The arrow represents a rootkit gaining access to the kernel, and the little gate represents normal privilege elevation, where the user has to enter an Administrator username and password.

Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application or user with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

Most computer systems are designed for use with multiple user accounts, each of which has abilities known as privileges. Common privileges include viewing and editing files or modifying system files.

Privilege escalation means users receive privileges they are not entitled to. These privileges can be used to delete files, view private information, or install unwanted programs such as viruses. It usually occurs when a system has a bug that allows security to be bypassed or, alternatively, has flawed design assumptions about how it will be used. Privilege escalation occurs in two forms:

Privilege rings for the x86 available in protected mode

This type of privilege escalation occurs when the user or process is able to obtain a higher level of access than an administrator or system developer intended, possibly by performing kernel-level operations.

In some cases, a high-privilege application assumes that it would only be provided with input matching its interface specification, thus doesn't validate this input. Then, an attacker may be able to exploit this assumption, in order to run unauthorized code with the application's privileges:

In computer security, jailbreaking is defined as the act of removing limitations that a vendor attempted to hard-code into its software or services.[2] A common example is the use of toolsets to break out of a chroot or jail in UNIX-like operating systems[3] or bypassing digital rights management (DRM). In the former case, it allows the user to see files outside of the filesystem that the administrator intends to make available to the application or user in question. In the context of DRM, this allows the user to run arbitrarily defined code on devices with DRM as well as break out of chroot-like restrictions. The term originated with the iPhone/iOS jailbreaking community and has also been used as a term for PlayStation Portable hacking; these devices have repeatedly been subject to jailbreaks, allowing the execution of arbitrary code, and sometimes have had those jailbreaks disabled by vendor updates.

iOS systems including the iPhone, iPad, and iPod Touch have been subject to iOS jailbreaking efforts since they were released, and continuing with each firmware update.[4][5] iOS jailbreaking tools include the option to install package frontends such as Cydia and Installer.app, third-party alternatives to the App Store, as a way to find and install system tweaks and binaries. To prevent iOS jailbreaking, Apple has made the device boot ROM execute checks for SHSH blobs in order to disallow uploads of custom kernels and prevent software downgrades to earlier, jailbreakable firmware. In an "untethered" jailbreak, the iBoot environment is changed to execute a boot ROM exploit and allow submission of a patched low level bootloader or hack the kernel to submit the jailbroken kernel after the SHSH check.

A similar method of jailbreaking exists for S60 Platform smartphones, where utilities such as HelloOX allow the execution of unsigned code and full access to system files.[6][7] or edited firmware (similar to the M33 hacked firmware used for the PlayStation Portable)[8] to circumvent restrictions on unsigned code. Nokia has since issued updates to curb unauthorized jailbreaking, in a manner similar to Apple.

In the case of gaming consoles, jailbreaking is often used to execute homebrew games. In 2011, Sony, with assistance from law firm Kilpatrick Stockton, sued 21-year-old George Hotz and associates of the group fail0verflow for jailbreaking the PlayStation 3 (see Sony Computer Entertainment America v. George Hotz and PlayStation Jailbreak).

Jailbreaking can also occur in systems and software that use generative artificial intelligence models, such as ChatGPT. In jailbreaking attacks on artificial intelligence systems, users are able to manipulate the model to behave differently than it was programmed, making it possible to reveal information about how the model was instructed and induce it to respond in an anomalous or harmful way.[9][10]

Android phones can be officially rooted by either going through manufacturers controlled process, using an exploit to gain root, or installing a rooting modification. Manufacturers allow rooting through a process they control, while some allow the phone to be rooted simply by pressing specific key combinations at boot time, or by other self-administered methods. Using a manufacturers method almost always factory resets the device, making rooting useless to people who want to view the data, and also voids the warranty permanently, even if the device is derooted and reflashed. Software exploits commonly either target a root-level process that is accessible to the user, by using an exploit specific to the phone's kernel, or using a known Android exploit that has been patched in newer versions; by not upgrading the phone, or intentionally downgrading the version.

Mitigation strategies

[edit]

Operating systems and users can use the following strategies to reduce the risk of privilege escalation:

Recent research has shown what can effectively provide protection against privilege escalation attacks. These include the proposal of the additional kernel observer (AKO), which specifically prevents attacks focused on OS vulnerabilities. Research shows that AKO is in fact effective against privilege escalation attacks.[13]

Horizontal privilege escalation occurs when an application allows the attacker to gain access to resources which normally would have been protected from an application or user. The result is that the application performs actions with the same user but different security context than intended by the application developer or system administrator; this is effectively a limited form of privilege escalation (specifically, the unauthorized assumption of the capability of impersonating other users). Compared to the vertical privilege escalation, horizontal requires no upgrading the privilege of accounts. It often relies on the bugs in the system.[14]

This problem often occurs in web applications. Consider the following example:

This malicious activity may be possible due to common web application weaknesses or vulnerabilities.

Potential web application vulnerabilities or situations that may lead to this condition include:

  1. ^ Taimur Asad (October 27, 2010). "Apple Acknowledges iOS 4.1 Security Flaw. Will Fix it in November with iOS 4.2". RedmondPie. Archived from the original on February 18, 2013. Retrieved November 5, 2010.
  2. ^ "Definition of JAILBREAK". www.merriam-webster.com. Archived from the original on 24 December 2022. Retrieved 24 December 2022.
  3. ^ Cyrus Peikari; Anton Chuvakin (2004). Security Warrior: Know Your Enemy. "O'Reilly Media, Inc.". p. 304. ISBN 978-0-596-55239-8.
  4. ^ James Quintana Pearce (2007-09-27), Apple's Disagreement With Orange, IPhone Hackers, paidContent.org, archived from the original on 2012-07-29, retrieved 2011-11-25
  5. ^ "Reports: Next iPhone update will break third-party apps, bust unlocks]". Computerworld on v1.1.3. Archived from the original on 2008-01-04. Retrieved 2008-01-01.
  6. ^ Phat^Trance (Feb 16, 2010). "Announcement: Forum down for maintaining". dailymobile.se. Archived from the original on March 3, 2009. Retrieved August 30, 2016. Just wanted to let you guys know that the forum is down for maintaining. It will be back online in a day or so (i kinda messed up the config files and need to restore one day old backup, so i thought why not update the entire server platform)
  7. ^ "HelloOX 1.03: one step hack for Symbian S60 3rd ed. phones, and for Nokia 5800 XpressMusic too". Archived from the original on 2020-08-07. Retrieved 2009-07-06.
  8. ^ "Bypass Symbian Signed & Install UnSigned SISX/J2ME Midlets on Nokia S60 v3 with Full System Permissions". Archived from the original on 2016-09-11. Retrieved 2009-07-06.
  9. ^ "What is Jailbreaking in A.I. models like ChatGPT?". Archived from the original on 2023-12-01. Retrieved 2023-11-01.
  10. ^ "ChatGPT's 'jailbreak' tries to make the A.I. break its own rules, or die". Archived from the original on 2023-03-02. Retrieved 2023-11-01.
  11. ^ "Microsoft Minimizes Threat of Buffer Overruns, Builds Trustworthy Applications". Microsoft. September 2005. Retrieved 2008-08-04. [_dead link_‍]
  12. ^ Smalley, Stephen. "Laying a Secure Foundation for Mobile Devices" (PDF). Archived from the original (PDF) on 28 August 2017. Retrieved 7 March 2014.
  13. ^ Yamauchi, Toshihiro; Akao, Yohei; Yoshitani, Ryota; Nakamura, Yuichi; Hashimoto, Masaki (August 2021). "Additional kernel observer: privilege escalation attack prevention mechanism focusing on system call privilege changes". International Journal of Information Security. 20 (4): 461–473. doi:10.1007/s10207-020-00514-7. ISSN 1615-5262. Archived from the original on 2024-05-24. Retrieved 2023-11-10.
  14. ^ Diogenes, Yuri (2019). Cybersecurity - Attack and Defense Strategies - Second Edition. Erdal Ozkaya, Safari Books Online (2nd ed.). p. 304. ISBN 978-1-83882-779-3. OCLC 1139764053. Archived from the original on 2024-05-24. Retrieved 2022-08-13.