Surge in Grabbing Unauthorized Access
Authorization, an access control system, is all about administering and providing sensitive system access to a process or an application or a class of users based on their privilege level. Privacy and security concerns arise when system resources are accessed by an unauthorized process, application, or user.
Application and system developers always strive to incorporate secure authorization systems in their software. On the other hand, hackers come forth with new exploit techniques to elevate the access privilege associated with a specific process, system, or user. Many of the attacks start with an entry into the targeted systems with limited privileges and then an attempt to elevate privileges by exploiting a vulnerability in the OS itself or in third-party installations.
We conducted a short piece of research work on Elevation of Privilege (EoP) vulnerabilities using publicly available information on vulnerabilities discovered in operating systems, desktop applications and browsers. Interestingly the data indicates a significant rise in EoP vulnerabilities over the past two–and-half years.
From our research set on Microsoft Windows operating system vulnerabilities found over the time period mentioned earlier, we found that out of 700 vulnerabilities, 115 vulnerabilities were Privilege Escalation vulnerabilities, i.e. approximately 16%. It is clear from the research data set that attackers or malware writers are focusing more on EoP vulnerabilities to carry out their malicious attack as silently as possible.
Standalone exploitation of EoP vulnerability might not be sufficient for the attacker to achieve the required destructive behavior thus forcing the attacker to look for yet more vulnerability in the system to exploit.
The following is a list of commonly exploited Windows components:
|The Group Policy Service|
|Windows kernel-mode driver (Win32k.sys)|
|Cryptography Next Generation kernel-mode driver (cng.sys)|
|WebDAV kernel-mode driver (mrxdav.sys)|
|TS WebProxy Windows component|
|Windows User Profile Service (ProfSvc)|
|Windows audio service component|
|Windows TCP/IP stack (tcpip.sys, tcpip6.sys)|
|FASTFAT system driver, FAT32 disk partitions|
|Message Queuing service|
|Windows Task Scheduler|
|Windows Installer service|
|Ancillary Function Driver|
|Group Policy preferences|
|Local Remote Procedure Call|
|Windows audio port-class driver (portcls.sys)|
|Windows App Container|
|DirectX graphics kernel subsystem (dxgkrnl.sys)|
|Service Control Manager (SCM)|
|NT Virtual DOS Machine (Ntvdm.exe)|
|asynchronous RPC requests handling (Rpcss.dll)|
|TrueType font files handling|
|Windows Print Spooler (Win32spl.dl)|
|NTFS kernel-mode driver (ntfs.sys)|
|Windows CSRSS (cmd.exe)|
|Remote Desktop ActiveX control (mstscax.dll)|
|Windows USB drivers|
We see that the attackers often aim at a relatively highly destructive attack by exploiting privilege escalation and code execution vulnerabilities together.
Techniques employed by malware writer constantly evolve to achieve the desired privilege escalation undetected. There are many privilege elevation techniques publicly available online, such as:
- METHOD OF PROVIDING A COMPUTER USER WITH HIGH LEVEL PRIVILEGES, PATENT 7,945,947
- Exploiting The Known Failure Mechanism in DDR3 Memory referred to as Row Hammer to gain kernel privilege with the only “patch” being a replacement of the DRAM!
Sometimes it is simply not possible to patch a vulnerability.
Elevation of Privilege is not limited only to operating systems but is also witnessed in desktop applications, browsers, web applications and even in hardware. With the increasing popularity of Internet of Things across devices everywhere, the effect of exploiting an Elevation of Privilege vulnerability in just one of the links in Internet of Things could give the attacker complete control of the whole system.
Image courtesy of: tompattersontalks.blogspot.in
Priyal Viroja, Vulnerability Researcher, K7TCL
Re-published by K7 Computing Ireland
K7 Computing webistes:
About k7pressAntivirus Vendor - distributor for United Kingdom and Republic of Ireland
- New K7 Enterprise Asset Management
- Surge in Grabbing Unauthorized Access
- Exorcising CTB Locker from your Computer: What you Need to Know
- February New K7 antivirus products build release
- Latest VB-100 award for K7 Total Security
- Editor of World-Renowned Security Magazine Appreciates K7 Speakers
- Keep e-Phishing at Bay – K7 Security Blog
- K7 Enterprise Security and Enterprise Antivirus new version release
- K7 released new version 14.2 for home edition antivirus products
- K7 Supports Windows 8.1
- K7 Total Security secured yet another VB-100 award
- K7 Computing Releases a New Version 13.1 of the K7 Antivirus and Security Product Line
- K7 Enterprise Security 2.0 released
- QR Code security
- Java C00l Blend Exploit
- Tesco Fake Vouchers Facebook Scam
- K7 is Windows 8 Compatible
- Carnivore Has a 0-Tolerance Policy, IE is protected by K7
- K7 Total Security secured August VB-100 award
- New K7 build improvements for September
- #K7 #Computing released new #Asset #Management within K7 #Enterprise #Security - #endpoint security: k7press.wordpress.com/2015/07/06/new… 2 years ago
- New K7 Enterprise Asset Management k7press.wordpress.com/2015/07/06/new… http://t.co/ybkBAsqZgY 2 years ago
- Summer #Sale is here: Buy K7 #antivirus security with 50% #discount. Half price for award winning security k7computing.co.uk/online-shop-su… 2 years ago