Skip to main content

Computer Systems Security Planning for Success

Dr. Jan Pearce, Editor

Section 5.6 Outcomes

Subsection 5.6.1 Remote Code Execution (RCE)

One of the most dangerous outcomes of an attack is Remote or Arbitrary Code Execution. RCE gives the attacker the ability to execute any instructions they want on the compromised machine. Often the attacker will start a shell with administrative privileges so they can do whatever they want. Imagine SSHing into a remote Linux machine and elevating your privileges to root. This is essentially the type of power that can result from RCE. Attackers may also use the RCE to attack the availability of a computing resource by causing a program to terminate. In this situation the RCE is being used as part of a denial of service (DoS) attack.
🔗
🔗

Subsection 5.6.2 Privilege Escalation

There is no elevator to root, you have to use an exploit.
🔗
🔗
— Anonymous
🔗
Diagram illustrating the concept of privilege escalation using steps of increasing height representing different user access levels.
The diagram uses a step-like visual metaphor to represent different levels of user privileges and the process of escalating those privileges. Three vertical rectangular blocks of increasing height are shown side-by-side. The shortest block on the left is labeled "User," representing the lowest privilege level. To its right is a taller block labeled "Admin," indicating a higher level of privileges. The tallest block, on the far right, is labeled "Super Admin," signifying the highest level of access. A prominent black arrow originates from the bottom left of the diagram, extending diagonally upwards and to the right across the tops of these blocks. This arrow visually represents the act of escalation, moving from a lower privilege status (User) towards progressively higher and more powerful access levels (Admin and Super Admin).
🔗
Figure 5.6.1. Privilege Escalation
🔗
Privilege escalation involves gaining access to protected resources through unintended means. An example would be CVE-2021-4034
 1 
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034
, a local privilege escalation vulnerability recently discovered in the Linux pkexec command. pkexec runs with elevated privileges and does not safely parse command line arguments. As such it can be exploited to give a regular user a root shell. This would be an example of local, vertical privilege escalation.
🔗
Privilege escalation is typically broken into two categories: horizontal and vertical. Horizontal privilege escalation gives similar access to resources, ie. moving from one user account to another. Vertical privilege escalation gives higher level access, ie. moving from a user account to an admin account. The five main ways privilege escalation is achieved are credential exploitation, vulnerabilities/exploits, misconfigurations, malware, and social engineering.
🔗
🔗

Subsection 5.6.3 Denial of Service (DoS)

A denial of service attack (Dos) attempts to keep a system from working by overwhelming it with requests. A distributed denial of service attack (DDoS) does the same thing by utilizing many different machines. Typically the attacking nodes for a DDoS attack are members of a botnet, machines that have been exploited previously and are under the attackers control.
🔗
DoS attacks can take many forms including:
🔗
SYN FloodsA malicious actor can send multiple SYN packets to initiate the TCP three-way handshake. SYN packets are easy to send, but may cause significant resources to be allocated on the server responding to them. Due to the asymettric nature of resource allocation this makes the use of SYN packets particularly suited to DoS attack. SYN cookies
 2 
en.wikipedia.org/wiki/SYN_cookies
can be used to help prevent this kind of attack.
🔗
ICMP Floods Often referred to as pinging, ICMP echo requests can be used to overwhelm a server. Especially when sent from multiple sources. The solution is typically to rate limit ICMP packets on the server.
🔗
Buffer Overflows/Exploits Poorly designed software may fail when it receives unexpected data. This could be something as simple as sending more data than a buffer can hold, or setting the urgent pointer (URG) on a packet destined for port 139 of a Windows system
 3 
en.wikipedia.org/wiki/WinNuke
.
🔗

Example 5.6.2. Remote Shells.

As you have hopefully experienced by completing the labs, Linux systems traditionally have a powerful shell system that uses text commands to control the OS. Through the shell you can create, read, update, or delete files, make network connections, configure kernel parameters, install packages, etc. In fact, all modern operating systems have shells that can be used to control them. On a Windows machine, having access to PowerShell running as an Administrator is all an attacker would need to have complete control over the system. Often the outcome of an attack is being able to interact with a shell remotely on the exploited machine.
🔗
In this scenario we say the victim is running a remote shell. Remote shells can run in the background on a victim machine listening on a port for an attacker to connect, but often the exploited machine may not actually have an external IP the attacker can use to connect. In these instances a reverse shell is used. A reverse shell reaches out from the victim to the attacker and establishes a connection from the inside. This is more compatible with the firewalls/NAT routers that sit between most devices and the Internet.
🔗
In either case having privileged shell access to a machine over a remote connection allows an attacker to basically do anything they want. To that end, many tools have sprung up to provide remote shell access. A machine may already have a remote shell tool installed, such as an SSH server. Barring that Netcat
 4 
netcat.sourceforge.net/
can be used with any executable to provide access to it over a network. metasploit
 5 
www.metasploit.com/
(a very popular pentesting framework) comes with many payloads, most of which are shells of various types. Programs also exist to run shells over ICMP, Discord, IRC, or even DNS!
🔗
🔗
🔗
You have attempted 1 of 1 activities on this page.
🔗
PrevTopNext