LPET -- Mining MS-Windows Software Privilege Escalation Vulnerabilities by Monitoring Interactive Behavior

Local Privilege Escalation (LPE) is a common attack vector used by attackers to gain higher-level permissions. In this poster, we present a system called LPET to mine LPE vulnerabilities of third-party software in MS-Windows. Our insight is that the LPE is often caused by the interactions between high-privilege processes and user-controllable files. The interactions include creating a file, starting a process and others. Based on this observation, LPET first monitors software behaviors and constructs a directed interaction graph to abstract entities, such as files and processes, and their interactions. Then LPET analyzes exploiting paths from the graph by extracting user-controllable entities and checking their privileges. Finally, LPET verifies the exploiting paths using replacement or hijacking attacks. In the preliminary experiments, LPET found vulnerabilities in various software. Moreover, we discovered a common weakness pattern that some components were executed by software with high privilege after being released in the user-controllable temporary directory during installation, update, and uninstallation. By replacing the components, attackers with low privilege can hijack the execution flow of software to execute their codes with high privilege. We found that a wide range of software suffers from this weakness pattern, including Cisco AnyConnect, Dropbox, Notepad++.