miércoles, 2 de mayo de 2018

Elevation of Privileges, TC2027

What is Elevation of Privileges? 

Elevation of Privileges or Privilege Escalation is exploiting a system or application to gain more access than you normally should have. This means you have the power to do unauthorized actions.

There are two branches of privilege escalation, Horizontal and Vertical.

Horizontal

  • Access to other user's information or content. It's horizontal because you are in the scope of a user, but you can gain access to other users, this is still gaining more access than you should, but not at a higher level.

Vertical

  • Access to information or content that should only be accessd by someone with higher access. You stay on your scope, but now you "escalate steps" in the privilege section.

The following image shows the different levels of privileges that a system has. 


My favorite example of elevation of privileges:

Jailbreak

I remember I was in highschool when I got my first iPod Touch, it was Christmas and Santa gave me and my brothers an iPod. I was really excited and I opened it on the bathroom, as soon as I took it out of the box, it fell.
I always liekd playing and listening to music on my iPod, but after a while (still in highschool) I discovered that you could "jailbreak" it, letting you add more functionalities and customize your iPod, I didn't know it back then but that was a form of Elevation of Privileges. 
Normally, you couldn't do all those things that Cydia allowed you to do, but when you jailbreaked it, you gained control of many things and it felt really nice. 

Other methods
This webpage tells more about EoP and ways that it cacn be exploited: 
https://securitycommunity.tcs.com/infosecsoapbox/articles/2017/06/07/all-you-know-about-stride-elevation-privilege-threat-eop
Here there are 6 ways to exploit and gain EoP that the webpage mentions:


  1. User Group / Profile Manipulation: In order to get the write access a non-privileged user can create the profile of the legitimate user using different parameters/ profiles/ ids passing in the HTTP request/ response.
  2. Condition value Manipulation. In an environment where the server throws an error message contained as a value in a specific parameter in a set of answer codes. Manipulating those values to get administrative rights.
  3. IP Address Manipulation: Some websites uses IP address to limit the access or log the number of error login based on IP address. For example - If the website uses the value of 'X-forwarded-For' as client IP address, attacker may change the IP value of the 'X-forwarded-For' HTTP header to work around the IP source identification and fulfill the requirements. 
  4. URL Traversal: Try to traverse the website and check if some of pages that may miss the authorization check. 
  5. White Box: If the URL authorization check is only done by partial URL match, then its likely hackers may workaround the authorization by URL encoding techniques. Ex - endswith(), contains()
  6. Weak Session Id: Weak Session ID has algorithm may be vulnerable to brute Force attack. For example, one website is using MD5 (Password + UserID) as session ID. Then, attacker may manipulate and generate different Session ID in order to get unprivileged access.

There are many methods to gain EoP, but this is something we have to have in mind when we design software, we DON'T want people WITHOUT access to do things they shouldn't.


No hay comentarios:

Publicar un comentario