Privilege escalation attacks consist of exploiting a bug or design flaw in a software application to gain access to resources which normally are protected from an application or user. The result is that the application allows actions with privileges beyond an acceptable level for the specific user. There are three main forms of privilege escalation, the most serious being vertical privilege escalation. An example would be a regular read-only user acquiring admin rights. Next there is horizontal privilege escalation where for example a user with rights in the accounting database might acquire access to the human resources database. Finally, there’s privilege de-escalation, that when executed correctly, one would lose some of the rights required to perform a job.
A major issue within an organization directly related to privilege escalation attacks is user access to a database. We often talk about abusive or malicious insiders in relation to these attacks. A primary problem is the fact that most organizations do not know, and cannot document, who has access, or how much access they have to sensitive data on an enterprise database system.
A few examples follow…
SYS.DBMS_CDC_IMPDP is a package that in older un-patched versions of Oracle contains procedures that allow privilege escalation through SQL Injection. By default, this package is granted to PUBLIC and the package is owned by the SYS schema in Oracle Database v10g.
The exploitation of this instance of SQL Injection can result in commands executed under the elevated privileges of the SYS user, because the package owners (those who hold the license) usually possess elevated privileges resulting in potential security problems in the Oracle Database v10g.
Another database exploit through privilege escalation is SYS.DBMS_DBUPGRADE, which contains an instance of SQL injection that ultimately allows any user with ‘execute’ privileges on this package to execute commands under the elevated privileges of the SYS user.
Know Your Rights!
A best practice for granting access and permissions to database users within an organization is the principle of least privilege (PLP). It requires that users have the least amount of privileges required to perform their specific duties. Users should not be granted access to sensitive information that is not required to perform their jobs, or in general have privileges to execute any non-essential actions.
Collecting and documenting a comprehensive list of all the rights a user has been granted (or has not been granted) can be a daunting task. Privileges should never be assigned directly to users, but only to roles/groups of which the users are members. Always make sure that users are not assigned to groups with unnecessary privileges.
Implementing a user rights management solution will help an organization to discover, document and address the web of privileges and permissions that exist in the database environment. In addition, it will help identify abusive users and allow organizations to meet separation of duties requirements of major compliance regulations.
Alex Rothacker is the manager of the SHATTER research team at Application Security.