All you know about STRIDE - Elevation of Privilege Threat (EOP)

STRIDE is a security threat model, developed by Microsoft that categorize the security threat associated with the computer. It consists of six different threat categories which are:
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege
 
This article is all about the Elevation of Privilege Threat only. Subsequent articles will cover details on remaining techniques. However, Please refer the below link for already published article on the topic All you know about STRIDE – Repudiation Threat. 
 
 

Elevation of Privilege

Microsoft STRIDE model describe Elevation of Privilege results from giving an attacker authorization permissions beyond those initially granted. For example, an attacker with a privilege set of "read only" permissions somehow elevates the set to include "read and write." Privilege refers to what a user is permitted to do and so Elevation of Privilege is a user receives privileges they are not entitled to.
 
EOP allows different access levels which comprises read-only vs. read-write. Where the lower privileged user can gain the administrative access known as Vertical privilege escalation.
 
The rate of elevation depends on the type privileges the attacker is authorized to possess, and which privileges can be gratified in a successful exploit. For example, manipulation of any programming/ code error allows a user to gain extra advantage after the successful authentication reduce the degree of escalation as the user is already authorized to hold the access for that particular program. But, if a remote attacker gaining super user access without any authentication poses a greater rate of escalation.
 

Way to Exploit

It is necessary to track the functionality in every phase of the application where a user perform below functions in the database,
  • Create (making payment/ sending any important messages)
  • Receive (account statement/ order details)
  • Modify (change order details or any requirements)
  • Delete (drop users messages) 
When a normal user access any of the above mentioned functionality without proper authentication then elevation of privilege comes in to picture. Below mentioned are some exploit scenario to crack Elevation of Privilege.
  1. User Group/ Profile Manipulation: In order to get the write access a non-privileged user can create the profile of the legitimate user using different parameters/ profiles/ ids passing in the HTTP request/ response.
  2. Condition value Manipulation: In an environment where the server throws an error message contained as a value in a specific parameter in a set of answer codes. Manipulating those values to get administrative rights.
  3. IP Address Manipulation: Some websites uses IP address to limit the access or log the number of error login based on IP address. For example - If the website uses the value of 'X-forwarded-For' as client IP address, attacker may change the IP value of the 'X-forwarded-For' HTTP header to work around the IP source identification and fulfill the requirements. 
  4. URL Traversal: Try to traverse the website and check if some of pages that may miss the authorization check. 
  5. White Box: If the URL authorization check is only done by partial URL match, then its likely hackers may workaround the authorization by URL encoding techniques. Ex - endswith(), contains()
  6. Weak Session Id: Weak Session ID has algorithm may be vulnerable to brute Force attack. For example, one website is using MD5 (Password + UserID) as session ID. Then, attacker may manipulate and generate different Session ID in order to get unprivileged access.

SID based Elevation of Privilege Attack 

Elements of the attack:
 
There are two major components of Windows that are behind an elevation of privilege attack.
  1. Access tokens: This token can be a list of the user’s SID (Security Identifier) and the SIDs of any user group where the user may be a member.
  2. The SID History: The SID History is an Active Directory(AD) attribute which facilitates the authorization process tracks the changes of an object’s SID as the object moves from one domain to another.(SID History is an attribute that supports migration scenarios. Every users account is associated with a Security Identifier which is used to track any security related activity which includes account access, migrations and can effectively cloned to another.
How it impact though those elements:
 
  • When a user logs into the system, the Access token associated with the user contain users present SID, the SID of any user groups that the user may belong to, and any Security Identifier previously associated with the user account through the SID History. Together, these two elements (Access token & The SID History) determine whether the user can access the network and what level of access the user can.
  • To pull off a SID-based elevation of privilege attack, the attacker must be able to determine the SID of another user (either the Administrator account or an account with Administrator rights). Then the attacker must add that SID to his own SID History list. So that he can able to grant the same privileges as the user from which he has stolen the SID.

Example 

Dirty Cow Vulnerability - CVE – 2016-5195 (kernel Exploit)
Dirty Cow is triggered by a race condition, in the way, the Linux Kernels memory sub system handles Copy-On-Write (COW) breakage of private read-only memory mapping where an unprivileged local user could use this flaw to gain write access or modify existing SETUID files.
This flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanism that would prevent modification with-out an appropriate permission set.
 

Counter Measures

Following countermeasures can be applied in order to overcome above EOP threat,
  • Beef up Authentication and validate all data positively
  • Have the user/ customer follow the strongest authentication method intelligently 
  • Scan the application for known vulnerabilities to minimize exploit attacks
  • Data Execution Prevention
  • Address space layout randomization (to make it harder for buffer overruns to execute privileged instructions at known addresses in memory)
  • Running applications with least privilege (for example by running Internet Explorer with the Administrator SID disabled in the process token) in order to reduce the ability of buffer overrun exploits to abuse the privileges of an elevated user.
  • Requiring kernel mode code to be digitally signed.
  • Use of up-to-date antivirus software.
  • Use of compilers that trap buffer overruns.
  • Encryption of software and/or firmware components
  • Use of an operating system with Mandatory Access Controls (MAC) such as SE Linux
  • Patching with updated/latest version
Telling most people to think like an attacker is a lot like telling them to think like a professional Pilot to fly a flight. They lack context, training and understanding of what that means, even if they know how to fly. To become more secure, you should determine what you need to protect, and whom you need to protect it from. Threats can change depending on your position, location, what you are doing, and with whom you are working with. Though an EOP attack is not the most common threat someone faces, but if you are in an environment where security is a concern you should not leave any single thing to chance - as an attacker always think differently.
 
Authored By - Deepti Nayak
TCS Cyber Security Practice
 
Rate this article: 
Average: 2 (4 votes)
Article category: