Editing Privilege escalation (section)

===Examples===
In some cases, a high-privilege application assumes that it would only be provided with input matching its interface specification, thus doesn't validate this input. Then, an attacker may be able to exploit this assumption, in order to run unauthorized code with the application's privileges:
*Some [[Windows service]]s are configured to run under the Local System user account. A vulnerability such as a [[buffer overflow]] may be used to execute arbitrary code with privilege elevated to Local System.  Alternatively, a system service that is impersonating a lesser user can elevate that user's privileges if errors are not handled correctly while the user is being impersonated (e.g. if the user has introduced a malicious [[exception handling|error handler]])
*Under some legacy versions of the [[Microsoft Windows]] operating system, the All Users [[screensaver]] runs under the Local System account – any account that can replace the current screensaver [[executable|binary]] in the file system or [[Windows Registry|Registry]] can therefore elevate privileges.
* A Windows driver, for example kprocesshacker.sys, can be used to run programs like cmd.exe as built-in accounts, also providing access to TrustedInstaller. Another method is to use a kernel driver like winring0.sys to run programs with kernel access. This driver can also be exploited to run programs as an administrator, bypassing UAC.<ref>{{cite web |title=CVE-2020-14979 Detail |url=https://nvd.nist.gov/vuln/detail/cve-2020-14979 |publisher=[[NIST]] [[National Vulnerability Database|NVD]] |access-date=19 March 2025 |url-status=live}}</ref>
*In certain versions of the [[Linux kernel]] it was possible to write a program that would set its current directory to <code>/etc/cron.d</code>, request that a [[core dump]] be performed in case it crashes and then have itself [[kill (Unix)|killed]] by another process. The core dump file would have been placed at the program's current directory, that is, <code>/etc/cron.d</code>, and <code>[[cron]]</code> would have treated it as a text file instructing it to run programs on schedule. Because the contents of the file would be under attacker's control, the attacker would be able to execute any program with [[superuser|root]] privileges.
*[[Cross Zone Scripting]] is a type of privilege escalation attack in which a website subverts the security model of web browsers, thus allowing it to run malicious code on client computers.
*There are also situations where an application can use other high privilege services and has incorrect assumptions about how a client could manipulate its use of these services. An application that can execute [[Command line]] or [[Unix shell|shell]] commands could have a [[Code injection|Shell Injection]] vulnerability if it uses unvalidated input as part of an executed command.  An attacker would then be able to run system commands using the application's privileges.
*[[Texas Instruments]] calculators (particularly the [[TI-85]] and [[TI-82]]) were originally designed to use only interpreted programs written in dialects of [[TI-BASIC]]; however, after users discovered bugs that could be exploited to allow native [[Z-80]] code to run on the calculator hardware, TI released programming data to support third-party development. (This did not carry on to the [[ARM architecture|ARM]]-based [[TI-Nspire]], for which jailbreaks using [[TI-Nspire series#Ndless|Ndless]] have been found but are still actively fought against by Texas Instruments.)
*Some versions of the [[iPhone]] allow an unauthorised user to access the phone while it is locked.<ref>{{Cite web|author=Taimur Asad|url=http://www.redmondpie.com/ios-4.2-to-fix-ios-4.1-lockscreen-security-flaw/|title=Apple Acknowledges iOS 4.1 Security Flaw. Will Fix it in November with iOS 4.2|publisher=RedmondPie|date=October 27, 2010|access-date=November 5, 2010|archive-date=February 18, 2013|archive-url=https://web.archive.org/web/20130218041359/http://www.redmondpie.com/ios-4.2-to-fix-ios-4.1-lockscreen-security-flaw/|url-status=live}}</ref>