Can Huang
ABSTRACT
Local Privilege Escalation (LPE) is a common attack vector used by attackers to gain higher-level permissions. In this poster, we present a system called LPET to mine LPE vulnerabilities of third-party software in MS-Windows. Our insight is that the LPE is often caused by the interactions between high-privilege processes and user-controllable files. The interactions include creating a file, starting a process and others. Based on this observation, LPET first monitors software behaviors and constructs a directed interaction graph to abstract entities, such as files and processes, and their interactions. Then LPET analyzes exploiting paths from the graph by extracting user-controllable entities and checking their privileges. Finally, LPET verifies the exploiting paths using replacement or hijacking attacks. In the preliminary experiments, LPET found vulnerabilities in various software. Moreover, we discovered a common weakness pattern that some components were executed by software with high privilege after being released in the user-controllable temporary directory during installation, update, and uninstallation. By replacing the components, attackers with low privilege can hijack the execution flow of software to execute their codes with high privilege. We found that a wide range of software suffers from this weakness pattern, including Cisco AnyConnect, Dropbox, Notepad++.
- 2016. PowerUp. [Online]. https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp.Google Scholar
- 2020. PrivescCheck. [Online]. https://github.com/itm4n/PrivescCheck.Google Scholar
- MITRE ATT&CK. 2020. Privilege Escalation. [Online]. https://attack.mitre.org/TA0004/.Google Scholar
- Ryan James Berg, Larry Rose, John Peyton, John J Danahy, Robert Gottlieb, and Chris Rehbein. 2008. Method and system for detecting privilege escalation vulnerabilities in source code. US Patent 7,418,734.Google Scholar
- Jie Liu, Da He, Yifan Wang, Jianfeng Chen, and Zhihong Rao. 2020. Software Vulnerability Mining Based on the Human-Computer Coordination. In International Conference on Intelligent Human Systems Integration. Springer, 532--538.Google Scholar
- AS Markov, AA Fadin, and VL Tsirlov. 2016. Multilevel metamodel for heuristic search of vulnerabilities in the software source code. International Journal of Control Theory and Applications, Vol. 9, 30 (2016), 313--320.Google Scholar
- Microsoft. 2018. Event Tracing. [Online]. https://docs.microsoft.com/en-us/windows/desktop/ETW/event-tracing-portal.Google Scholar
- Tielei Wang, Tao Wei, Guofei Gu, and Wei Zou. 2010. TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. In 2010 IEEE Symposium on Security and Privacy. IEEE, 497--512.Google ScholarDigital Library
- Eugene Yang. 2018. Fuzz testing & software composition analysis in software engineering. In 2018 International Symposium on VLSI Design, Automation and Test (VLSI-DAT). IEEE, 1--3.Google ScholarCross Ref
Index Terms
- LPET -- Mining MS-Windows Software Privilege Escalation Vulnerabilities by Monitoring Interactive Behavior
Recommendations
Detecting Privilege Escalation Attacks through Instrumenting Web Application Source Code
SACMAT '16: Proceedings of the 21st ACM on Symposium on Access Control Models and TechnologiesPrivilege Escalation is a common and serious type of security attack. Although experience shows that many applications are vulnerable to such attacks, attackers rarely succeed upon first trial. Their initial probing attempts often fail before a ...
Additional kernel observer: privilege escalation attack prevention mechanism focusing on system call privilege changes
AbstractCyberattacks, especially attacks that exploit operating system vulnerabilities, have been increasing in recent years. In particular, if administrator privileges are acquired by an attacker through a privilege escalation attack, the attacker can ...
Automating Privilege Escalation with Deep Reinforcement Learning
AISec '21: Proceedings of the 14th ACM Workshop on Artificial Intelligence and SecurityAI-based defensive solutions are necessary to defend networks and information assets against intelligent automated attacks. Gathering enough realistic data for training machine learning-based defenses is a significant practical challenge. An intelligent ...
Comments