Privilege Escalation

Technical Description

Privilege Escalation occurs when an attacker gains access rights or permissions beyond what was originally granted, elevating from a lower-privilege context to a higher-privilege one. This vulnerability class spans application-layer access control through operating system and infrastructure-level permissions.

Privilege escalation is categorized into two types:

• Vertical Privilege Escalation: A lower-privileged user gains access to functions or data reserved for higher-privileged users. For example, a standard user accessing administrative functionality, or a container process gaining root access on the host.
• Horizontal Privilege Escalation: A user accesses resources belonging to another user at the same privilege level (closely related to IDOR). While the privilege level does not change, the scope of access expands beyond authorization.

At the application layer, privilege escalation typically exploits:

• Missing Function-Level Access Control: Administrative endpoints that only hide UI elements but do not enforce authorization server-side. For example, the admin panel link is not shown to regular users but /admin/users is accessible to anyone who knows the URL.
• Role Manipulation: Applications that trust client-side role assignments. A user modifies their JWT claim from "role": "user" to "role": "admin", or changes a hidden form field or cookie value that specifies their privilege level.
• Parameter Tampering: Modifying request parameters that control authorization, such as isAdmin=true, role=administrator, or user_type=staff in POST bodies, cookies, or headers.

// Vulnerable - role stored in client-accessible JWT without server validation
const token = jwt.sign({
  userId: user.id,
  role: user.role  // Attacker modifies this claim
}, secret, { expiresIn: '24h' });

// Server trusts the role from the token without database verification
app.get('/admin/users', (req, res) => {
  const decoded = jwt.verify(req.headers.authorization, secret);
  if (decoded.role === 'admin') {  // Only checks the JWT claim
    return res.json(await User.find());
  }
  return res.status(403).json({ error: 'Forbidden' });
});

At the infrastructure layer, privilege escalation targets:

• SUID/SGID Binaries: Misconfigured binaries with the SUID bit set that can be exploited to execute commands as root. Tools like GTFOBins catalog hundreds of such binaries.
• Kernel Exploits: Vulnerabilities in the OS kernel that allow unprivileged processes to gain root access (e.g., DirtyPipe CVE-2022-0847, DirtyCow CVE-2016-5195).
• Container Escapes: Breaking out of container isolation to access the host system through misconfigured mounts, excessive capabilities, or kernel vulnerabilities.
• Cloud IAM Misconfigurations: Overly permissive IAM policies, role chaining, or metadata service access that allows escalation from a compromised application instance to broad cloud infrastructure access.

Real-World Impact

Privilege escalation is a critical phase in virtually every major security incident:

• SolarWinds (2020): After the initial supply chain compromise, attackers used privilege escalation within Active Directory (Golden SAML and token forging) to gain access to high-value targets including US government agencies and major technology companies.
• PrintNightmare / CVE-2021-34527 (2021): A privilege escalation vulnerability in the Windows Print Spooler service allowed any authenticated user to gain SYSTEM-level access on Windows servers and domain controllers. It was actively exploited by ransomware groups.
• Kubernetes Privilege Escalation (CVE-2018-1002105): A critical vulnerability in Kubernetes allowed any authenticated user to escalate to cluster-admin privileges, providing full control over all containers, secrets, and resources in the cluster.

Privilege escalation transforms limited initial access into complete organizational compromise. Every penetration test or real attack follows the pattern: initial access, privilege escalation, lateral movement, objective completion. Preventing escalation is critical to containing breaches.

Detection Methodology

Detecting privilege escalation requires testing authorization at every level:

1. Vertical Access Testing: Authenticate as a low-privilege user and attempt to access every administrative endpoint, function, and API route. Compare the full sitemap available to admin users against what low-privilege users can actually access (not just what the UI shows).
2. Role Manipulation: Modify role-related fields in JWTs, cookies, session data, and request parameters. Test whether the server validates roles against the database or trusts client-supplied values.
3. Forced Browsing: Enumerate administrative paths through directory brute-forcing, JavaScript analysis, and sitemap/robots.txt review. Test discovered paths with low-privilege credentials.
4. API Authorization Matrix: Build a complete matrix of API endpoints versus user roles and systematically test every combination. This is the most thorough approach for complex applications.
5. Infrastructure Assessment: On the host level, enumerate SUID binaries, cron jobs, writable system files, kernel version and known exploits, container configurations, and cloud IAM policies.

How Revaizor Discovers This

Revaizor’s AI agents approach privilege escalation testing with the methodology of an experienced red team operator:

• Automated Authorization Matrix: Revaizor builds a comprehensive authorization matrix by authenticating as users at every available privilege level and mapping the full set of accessible endpoints, features, and data for each role. It then systematically cross-tests, attempting to access higher-privilege resources from lower-privilege sessions.
• Role Boundary Testing: Revaizor identifies every mechanism that communicates user roles (JWT claims, session attributes, request parameters, headers) and tests manipulation of each. It detects subtle flaws like applications that validate roles for some endpoints but not others.
• Multi-Step Escalation Chains: Revaizor does not just test direct escalation. It identifies chains where combining multiple low-severity findings creates a privilege escalation path. For example, using an information disclosure to learn admin endpoint paths, then exploiting missing authorization on one of those endpoints.
• Infrastructure-Aware Testing: When testing in environments that include infrastructure access, Revaizor evaluates cloud IAM configurations, container security settings, and network segmentation to identify escalation paths from application compromise to infrastructure control.
• Business Logic Escalation: Revaizor understands application-specific privilege boundaries and tests business logic flows for escalation opportunities: approving your own requests, modifying your own role through profile updates, or accessing multi-tenancy boundaries.

Remediation

Preventing privilege escalation requires enforcing authorization consistently at every layer:

# Vulnerable - only UI hides admin functionality
@app.route('/admin/delete-user/<user_id>', methods=['DELETE'])
@login_required  # Only checks authentication, not authorization
def delete_user(user_id):
    User.query.get(user_id).delete()
    return jsonify({'status': 'deleted'})

# Secure - explicit role verification
from functools import wraps

def require_role(role):
    def decorator(f):
        @wraps(f)
        def decorated(*args, **kwargs):
            if current_user.role != role:
                abort(403)
            return f(*args, **kwargs)
        return decorated
    return decorator

@app.route('/admin/delete-user/<user_id>', methods=['DELETE'])
@login_required
@require_role('admin')  # Explicit authorization check
def delete_user(user_id):
    User.query.get(user_id).delete()
    return jsonify({'status': 'deleted'})

Comprehensive privilege escalation prevention:

• Server-Side Authorization on Every Request: Never trust client-side role information. Verify the user’s current role from the database or authorization service on every request. Implement authorization checks in middleware or decorators applied consistently to all routes.
• Principle of Least Privilege: Grant the minimum permissions necessary at every level: application roles, database accounts, OS users, container capabilities, and cloud IAM policies. Regularly audit and prune excessive permissions.
• Role-Based Access Control (RBAC): Implement a centralized RBAC system where permissions are defined declaratively and enforced by a single authorization engine. Tools like OPA (Open Policy Agent), Casbin, or CASL provide policy-as-code frameworks.
• Default Deny: Authorization systems should deny access by default. Users should only access resources that are explicitly permitted by their role, not everything except what is explicitly denied.
• Infrastructure Hardening: Remove unnecessary SUID binaries, keep kernels patched, restrict container capabilities to the minimum required, enforce pod security standards in Kubernetes, and implement cloud IAM boundaries with service control policies.
• Monitoring and Alerting: Log all authorization decisions, especially denials. Alert on patterns that suggest privilege escalation attempts: repeated access to administrative endpoints, role manipulation in requests, and successful access to resources outside normal usage patterns.