#radio Radio Scotland by EnjoyIT 1.0 http://t.co/gaNHe2KU
14 minutes ago by RealTonyRocha on twitter
Breaking News: CFOs increasingly involved in IT investment decisions
ZDNet / Techguide / Internet Security
Mitigating the privilege escalation threat
Summary
Privilege escalation vulnerabilities are not often remotely exploitable, but they can still be among the nastiest vulnerabilities when combined with someone who has managed to gain system access.
Topics
technology, software operating systems, software, computer technology, science and technology, microsoft windows os, chad perrin, microsoft corporation, linux, ubuntu
Events
Echelon 2012
June 11 and 12, 2012
University Cultural Centre, National University of Singapore
Startup Asia Jakarta 2012
June 7 and 8, 2012
12th Floor, Annex Building, Wisma Nusantara Complex, Jl. M.H. Thamrin No. 59 Jakarta 10350, Indonesia
MMA Forum Singapore
April 23-25, 2012
Grand Hyatt Singapore
My first encounter with privilege escalation vulnerabilities in the 1990s involved the Microsoft Windows NT 4.0 domain scheduler. Any standard user account on the domain could be used to create an instruction to be executed the next time the scheduler was triggered, because a file used to manage scheduler instructions had to be effectively world-readable for the scheduler to operate properly. Such instructions could include adding administrative privileges to an unprivileged user account.
Learning about this vulnerability was quite an eye-opening experience for me. Given the level of control a domain administrator could exercise over individual systems, the simplicity and scope of an exploit of this vulnerability was shocking.
Ever since that day, the attitude some people have--believing that any vulnerability that cannot be exploited remotely is no big deal--has seemed like the very height of folly. Combine even a sandboxed remote code execution vulnerability with a privilege execution vulnerability, and something that at first seems relatively unimportant can turn into an unmitigated disaster.
The opportunities for privilege escalation are numerous and sometimes surprisingly subtle. While Microsoft Windows has certainly been plagued by such issues over the years, thanks to its nearly nonexistent privilege separation scheme, it is not the sole victim of privilege escalation vulnerabilities, either. In fact, any general purpose operating system offers opportunities for misconfigurations to open privilege escalation holes in the system’s security model.
One example is misuse of Unix setuid and setgid permissions.
Another example from the Unix world--and of particular growing concern when dealing with novice-oriented Linux distributions like Ubuntu--is the misuse of sudo. Executing the command sudo vim opens a text editor that can basically edit any file on the system, of course, but that generally means the program will only edit what you want edited.
On the other hand, it might be conceivable that some infection picked up from the Web using your favorite browser could some day take advantage of sudo as a privilege escalation vulnerability in the system's configuration. Maybe the next time you execute sudo vim, the infection in question will make use of Vim's ability to execute shell commands (with root privileges in this case) and will prove the system's undoing.
I do not think this precise example is a likely danger now, but it could easily become a real danger in the future, particularly with the way that the pursuit of greater novice-friendly convenience tends toward misusing the security tools we have available to us and undermining the security benefits of simplicity.
We should present security advice as convenience advice, to get people to use security tools to make security more convenient--and not abuse security tools to try to make the system more convenient to use at the expense of security.
Some good advice for mitigating the threat of privilege separation includes:
- Be extremely careful when writing new software or modifying existing software to ensure that it does not subvert the system's privilege separation scheme.
- Run code without administrative privileges as much as possible.
- Learn everything you can about security tools, how they work, and how they are intended to be used (and why), before using them. For instance,
sudois intended as a tool for making specific, tightly controlled capabilities available to specific users, and not as a root replacement. - Maintain as strict a separation between privilege areas as possible. If you can armor your user directory against other users' access, do so, and if you can keep access to the administrative account completely separated from your standard user account at all times, you should do that as well.
- Use software that gets timely and effective security updates so that any newly discovered privilege escalation vulnerabilities will be fixed as quickly as they become apparent.
Many more possibilities apply as well, and I cannot reasonably attempt to catalog them all for you in this article. This is especially true because, as long as privilege separation is an effective security measure, there will likely be new approaches to privilege escalation attacks appearing from time to time. Understanding something about how privilege escalation can happen, and can make your life miserable, is an important first step toward whittling the danger down, however.
Continuing to develop your knowledge of the threat of privilege escalation, and learning to think in terms of not just what your software was meant to do but also how it can be abused by a malicious security cracker, then becomes necessary for doing something useful with that knowledge.
Finally, taking steps to mitigate the consequences of a privilege escalation if it does occur can keep the damage to a minimum. One of the most important pieces of advice along these lines, in my considered opinion, is to treat systems that do not employ a good privilege separation scheme as little more than toys when it comes to protecting yourself against malicious security crackers.
Thinking you are safe just because typical viruses do not do much damage as long as you keep paying for your antivirus subscription misses whole worlds of security threats. The dangers can include cases where you are specifically targeted for whatever reason--whether it be someone trying to use your server to host a child porn FTP archive or an ex-spouse's hireling or new love interest trying to access your financial records.
Chad Perrin is an IT consultant, developer and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.
Resource Centre Useful content from our premier sponsors
Internet Security TechGuides
Putting passwords out: Identity behaviour and identity authentication
Mozy online backup service: Privacy does matter
IT security strategies for mitigating Web-based risks
Cybercrime and the problem of online identity verification
Be careful not to incur security debt
Psychology provides clues in handling invisible threats
How to sell information security to management
Controlling your network using Network Access Control
Selling or donating equipment? Don't forget to wipe it clean
Implementing multi-factor authentication: What to consider
ZDNet Asia Live
SingTel (All) SingTel acquires HungryGoWhere for $9.4M ZDNet Asia News http://t.co/QuzQio2Z
44 minutes ago by nyp_095370X on twitter
Intranets need social to survive http://t.co/pdOHvgBP #intranet #socialintranet #intranet20
59 minutes ago by hoisc on twitter
Fanboys on AV for Mac: "ludicrous" "a waste of time" "The Mac will protect me" "the most secure ever" "impenetrable" http://t.co/a1o2Sz7E
2 hours ago by defintel on twitter
RT @ameliatmy: the hottest angel investment & venture capital event in #MALAYSIA! will u be there? http://t.co/ChSjkmzu #ABAF
2 hours ago by seraphine on twitter
Singapore Game Box in the ZDnet news!
http://t.co/UuTs0SqX http://t.co/YdPKmm39
RT @zdnetasia: SingTel acquires HungryGoWhere for US$9.4 million. http://t.co/Qho1REVZ
4 hours ago by molobok on twitter
Gartner: Mobile CRM gives better ROI than social - http://t.co/s5OfTAXK #CRM
4 hours ago by RichBohn on twitter
RT @zdnetasia: S'pore sets up portal to grow games sector. http://t.co/In8gtj7L
4 hours ago by molobok on twitter
#Malaysia: 20% yoy rise in overall #wages for both direct and non-direct labor. http://t.co/5T2e0LUU
4 hours ago by mikebuetow on twitter
RT @mikebuetow: #Malaysia: 20% yoy rise in overall #wages for both direct and non-direct labor. http://t.co/5T2e0LUU
4 hours ago by PhotoStencilLLC on twitter
@88tc88 RT @KevinZDNetAsia: User experience more important to app monetization than actual content http://t.co/ogbD5wyI… #li #dm12
4 hours ago by eelisam on twitter
Dubbed the first social #Olympics, this year's summer games have some of the strictest social rules for all involved http://t.co/4HlcqhW3
4 hours ago by 5Loom on twitter
Value of big data analytics largely untapped - Zd Net http://t.co/ZuhPrCN4: Pushing cloud limits for d... http://t.co/VyOU0vHz #TheBIBlog
5 hours ago by nextbi on twitterSo much as we know , MTK6575 extremely integrated frequency1GHz ARM Cortex-A9 processor, the superiority of 3G / HSPA Modem, and help the...
16 hours ago by y15822137359 on 5 SaaS adoption speed bumps to avoidI reckon your view: "CRM is strategy, not software", if a company replicating the approach uses in ERP implementation into CRM, what they...
1 day ago by wykoong on Gartner: Mobile CRM gives better ROI than socialThis video will teach you about the Excel fill handle but also provide you with a workook to download... http://www.youtube.com/watch?v=...
2 days ago by TradeBrother on A quick fill handle trick for Microsoft Excelwaiting...
4 days ago by eapete on What should count in a company's market value?Boy, you've opened a can of worms now.
Wait for the rants & raves.
I was puzzling before this whether to replicate the success formula we executed for a financial institute, and come out with a standard s...
4 days ago by wykoong on Drop the egos, copy ideas, then innovateKeep up with ZDNet Asia
Facebook 
RSS Feeds 
Newsletters 
Twitter Whitepapers
Downloads
Internet Security News
Inside ZDNet Asia
Sponsored
Echelon 2012 - The Awesomer Tech Event in Asia
Echelon 2012 – SEA’s longest running tech startup event goes Awesomer. Catch 50 of Asia’s most promising startups & over 40 international speakers on June 11-12.
Startup Asia Jakarta showcases new product-ready tech startups. Plus: hackathon, exhibition, and speakers. Use promo code CBSi50 for 50% discount.
ZDNet Asia Intelligent Singapore video series
Featuring inteviews with CXOs who define "intelligence" in their markets and reveal how their companies drive business efficiencies through ICT.
