Least Privilege Vulnerabilities
Introduction
The principle of least privilege is an essential component of information assurance and security activities. According to the National Institute of Standards and Technology (NIST), organizations apply least privilege to provide users with only the rights and permissions needed to do their jobs. Like all security controls, however, vulnerabilities often exist that reduce effectiveness and increase risk
In this article, I’ll describe several vulnerability types often seen in Windows environments that allow malicious actors (MA) to bypass least privilege access management efforts. I’ll also briefly describe how to detect and manage these weaknesses.
Learn Secure Coding
Privilege escalation
Users must access information resources to do their jobs. This makes it possible for MA who compromise their systems to access what the users can access. Theoretically, strictly restricting access for each user account to only what the associated role needs within the contexts of need-to-know and separation of duties, MA access is restricted.
When an MA uses a compromised account without elevating privileges, it is called a horizontal exploit. When the MA elevates privileges to gain access beyond what the compromised account is supposedly allowed, it is a vertical exploit. In both instances, the approach is known as privilege escalation: gaining access at levels not approved by data owners.
If MAs can circumvent user account restrictions or use service accounts to access resources, they can access resources with elevated access rights and permissions. They can also pivot to other accounts for additional access. In many cases, they can act as local or domain administrators.
Common least privilege vulnerabilities
Least privilege vulnerabilities exist largely in cloud and local third-party applications or applications developed in-house. Three least privilege attack vectors often leverage the Windows operating system include
- UAC bypass
- Token theft/manipulation
- DLL hijacking
UAC (User Account Control) bypass
Cynet writes that UAC bypass is possible if the UAC setting is not strong enough. This can allow an application to elevate privileges without user approval. According to SOC Level 1, some applications might be set to auto-elevate, allowing them to elevate privilege when necessary. As we’ll see later, compromise of authorized applications is a common privilege escalation attack vector.
Organizations may believe their applications do not improperly elevate privileges to perform tasks. However, testing is necessary to ensure this is true. Testing is especially important when bloatware (third-party software included on new hardware purchases) is distributed to users. This is one reason installing an approved image on a user device before distribution is a good security practice.
Access token manipulation
Windows uses tokens to represent users. Each authenticated user is provided with a token that information resources and the network use to determine rights and permissions. If an MA can steal a token, he can access whatever the token is allowed to access.
MITRE posits that an MA must use an account with highly privileged access (e.g., administrator) to steal a token. One of the easiest ways for an MA to work within a privileged access context is to compromise a system where a user consistently uses an administrator account for day-to-day activities.
Users who need to run applications with a highly privileged token should use the Windows runas command. This eliminates the need and the temptation for IT personnel to continuously use a privileged account for things like email, use of Office applications and software development.
DLL hijacking
When using DLL hijacking, MAs might place a replacement DLL in the search path the system uses to find and load called application binaries. SEC Consult writes that by default, Windows checks the following locations in the order listed.
- The directory from which the application is loaded
- C:WindowsSystem32
- C:WindowsSystem
- C:Windows
- The current working directory
- Directories in the system PATH environment variable
- Directories in the user PATH environment variable
System DLL locations are commonly listed in the Windows registry. Malicious access to the registry can also allow the implementation of MA DLLs.
If developers do not explicitly specify where a binary is located when called by the running code, the system must go looking for it. Based on the system configuration, an attacker can place a DLL with the same name as the called binary in the search path.
When the malicious DLL is run, the application comes under partial control of the MA. This is related to UAC bypass. The compromised application can elevate the privileges of the processes run by the application. This potentially provides escalated MA access to information resources.
The best defense is preventing the installation of any binaries not approved by IT: application whitelisting. Windows Defender Application Control is another layer of defense against DLL hijacking. Using this tool, organizations can define rules that manage
- Attributes of the code-signing certificate(s) used to sign an app and its binaries
- Attributes of the application’s binaries that come from the signed metadata for the files, including file hashes
- The path from which the app or file is launched
- The process that launches the application or binary
General protection
Annually, researchers discover application and system vulnerabilities that allow privilege escalation. There is no way to completely eliminate these weaknesses and always keep them from user devices. Consequently, organizations must monitor for activities related to attacks against least privilege, including anomalous
- Use of the runas command
- User/token behavior
- Change of token privilege (described in a Netsparker article)
- DLL manipulation (described in MITRE’s article, DLL Search Order Hijacking)
Conclusion
Least privilege is an important security control and requires management beyond controlling user access by role. Organizations must also pay close attention to attack vectors internal and external MAs can leverage to bypass least privilege restrictions.
Prevention controls are not enough. Organizations must include monitoring for anomalous behavior related to privilege escalation in their log management process and behavior analytics.
Learn Secure Coding
Sources
- Understanding Privilege Escalation and 5 Common Attack Techniques, Cynet
- Application Control, Microsoft
- Access Token Manipulation, MITRE
- DLL Search Order Hijacking, MITRE
- What Is Privilege Escalation and Why Is It Important?, Netsparker
- Protecting Controlled Unclassified Information (CUI), NIST
- Windows Privilege Escalation - an approach for penetration testers, SEC Consult
- Bypassing Windows UAC, SOC Level 1
Learn Secure Coding
Get hands-on experience with common coding mistakes, how they can be exploited and possible mitigations. Learn secure coding in:- Android and iOS
- C/C++, Java, .NET and PHP
- And more
In this Series
- Least Privilege Vulnerabilities
- Enhancing code security: Tools and techniques for safeguarding your code
- DevSecOps Tools of the trade
- Software dependencies: The silent killer behind the world's biggest attacks
- Software composition analysis and how it can protect your supply chain
- Only 20% of new developers receive secure coding training, says report
- Introduction to Secure Software Development Life Cycle
- How to control the flow of a program in x86 assembly
- Mitigating MFA bypass attacks: 5 tips for developers
- How to diagnose and locate segmentation faults in x86 assembly
- How to use the ObjDump tool with x86
- Debugging your first x86 program
- How to build a program and execute an application entirely built in x86 assembly
- Overview of common x86 instructions
- x86 basics: Data representation, memory and information storage
- What is x86 assembly?
- Introduction to x86 assembly and syntax
- Introduction to variables
- How to mitigate Race Conditions vulnerabilities
- How to avoid Cryptography errors
- Cryptography errors Exploitation Case Study
- How to exploit Cryptography errors in applications
- How to exploit race conditions
- Email-based attacks with Python: Phishing, email bombing and more
- Attacking Web Applications With Python: Recommended Tools
- Attacking Web Applications With Python: Exploiting Web Forms and Requests
- Attacking Web Applications With Python: Web Scraper Python
- Python for Network Penetration Testing: Best Practices and Evasion Techniques
- Python for network penetration testing: Hacking Windows domain controllers with impacket Python tools
- Python Language Basics: Variables, Lists, Loops, Functions and Conditionals
- How to Mitigate Poor HTTP Usage Vulnerabilities
- How to Exploit Poor HTTP Usage
- Introduction to HTTP (What Makes HTTP Vulnerabilities Possible)
- How to Mitigate Integer Overflow and Underflow Vulnerabilities
- How to exploit integer overflow and underflow
- Introduction to Parallel Processing
- What are Race Conditions?
- How Are Credentials Used In Applications?
- How To Exploit Least Privilege Vulnerabilities
- XSS Vulnerabilities Exploitation Case Study
- What is is integer overflow and underflow?
- SQL Injection Vulnerabilities Exploitation Case Study
- How to exploit improper error handling
- Improper Error Handling Exploitation Case Study
- Why Improper Error Handling Happens
- How to exploit CSRF Vulnerabilities
- How to mitigate CSRF Vulnerabilities
- What Causes Command Injection Vulnerabilities? (How are Data and Code Handled in Execution Environments)
- Command Injection Vulnerabilities
- Command Injection Vulnerabilities Exploitation Case Study
- How to mitigate Command Injection Vulnerabilities
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Secure coding