Privilege Escalation
Privilege escalation happens when a malicious user exploits a bug, design flaw or configuration error in an application or operating system to gain elevated access to resources that should normally be unavailable to that user.
Privilege escalation attacks exploit weaknesses and security vulnerabilities with the goal of elevating access to applications. There are two types of privilege escalation attacks including vertical and horizontal.
Vertical privilege escalation, also known as privilege elevation, where a lower privilege user or application accesses functions or content reserved for higher privilege users or applications.
Horizontal privilege escalation, where a normal user accesses functions or content reserved for other normal users.
We will discuss about Vertical Privilege Escalation which I found in recent days.
Step 1 : Logged in into the application with any low privileged user and intercept the request after entering the password.
Step 2 : Forwarded the request one by one and observed the request where “getPrivileges.####?Selected####=” was present.
Step 3 : Decode the value of ‘param’ then replace the value of the ‘SelectroleName’ parameter with that of a high privileged user such as ‘Super+Admin’ then again encode it and forward the request.
Step 4 : Got access to the Super Admin modules. Then again clicked on “Master data” and intercept the request. Decode the value of param field then replace the value of ‘user id’ parameter to that of high privileged user such as ‘Super+Admin’ then again encode it and forward the request.
Step 5 : Forward the request and decode the value of ‘param’ field then replace the value of the ‘SelectroleName’ parameter to that of high privileged user such as ‘Super+Admin’ then again encode it and forward the request.
Step 6 : Booom...!! I got access of the Super Admin modules and was able to edit the data as well.
This exploit was possible because the application does not implemented proper mapping of the user to the corresponding accessibility privilege.
Solution
1. Implement server-side mapping of the user to the respective accessibility. The features applicable to different privilege levels should be accessible strictly to those level users only.
2. Implement strong session management and log the user out if parameters are tampered with at any time.