All posts by rocco

CWE-268 – Privilege Chaining

Read Time:1 Minute, 18 Second

Description

Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-269

 

Consequences

Access Control: Gain Privileges or Assume Identity

A user can be given or gain access rights of another user. This can give the user unauthorized access to sensitive information including the access information of another user.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

Phase: Architecture and Design, Operation

Description: 

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Phase: Architecture and Design, Operation

Description: 

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

CVE References

  • CVE-2002-1772
    • Gain certain rights via privilege chaining in alternate channel.
  • CVE-2005-1973
    • Application is allowed to assign extra permissions to itself.
  • CVE-2003-0640
    • “operator” user can overwrite usernames and passwords to gain admin privileges.

CWE-269 – Improper Privilege Management

Read Time:1 Minute, 57 Second

Description

The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-284

 

Consequences

Access Control: Gain Privileges or Assume Identity

 

Potential Mitigations

Phase: Architecture and Design, Operation

Description: 

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Phase: Architecture and Design

Description: 

Follow the principle of least privilege when assigning access rights to entities in a software system.

Phase: Architecture and Design

Description: 

Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

CVE References

  • CVE-2001-1555
    • Terminal privileges are not reset when a user logs out.
  • CVE-2001-1514
    • Does not properly pass security context to child processes in certain cases, allows privilege escalation.
  • CVE-2005-2741
    • Product allows users to grant themselves certain rights that can be used to escalate privileges.
  • CVE-2005-2496
    • Product uses group ID of a user instead of the group, causing it to run with different privileges. This is resultant from some other unknown issue.
  • CVE-2004-0274
    • Product mistakenly assigns a particular status to an entity, leading to increased privileges.
  • CVE-2007-4217
    • FTP client program on a certain OS runs with setuid privileges and has a buffer overflow. Most clients do not need extra privileges, so an overflow is not a vulnerability for those clients.
  • CVE-2007-5159
    • OS incorrectly installs a program with setuid privileges, allowing users to gain privileges.
  • CVE-2008-4638
    • Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209).
  • CVE-2007-3931
    • Installation script installs some programs as setuid when they shouldn’t be.
  • CVE-2002-1981
    • Roles have access to dangerous procedures (Accessible entities).
  • CVE-2002-1671
    • Untrusted object/method gets access to clipboard (Accessible entities).
  • CVE-2000-0315
    • Traceroute program allows unprivileged users to modify source address of packet (Accessible entities).
  • CVE-2000-0506
    • User with capability can prevent setuid program from dropping privileges (Unsafe privileged actions).

CWE-27 – Path Traversal: ‘dir/../../filename’

Read Time:46 Second

Description

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal “../” sequences that can resolve to a location that is outside of that directory.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-23

 

Consequences

Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories

 

Potential Mitigations

Phase: Implementation

Description: 

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2002-0298
    • Server allows remote attackers to cause a denial of service via certain HTTP GET requests containing a %2e%2e (encoded dot-dot), several “/../” sequences, or several “../” in a URI.

CWE-270 – Privilege Context Switching Error

Read Time:1 Minute, 28 Second

Description

The software does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-269

 

Consequences

Access Control: Gain Privileges or Assume Identity

A user can assume the identity of another user with separate privileges in another context. This will give the user unauthorized access that may allow them to acquire the access information of other users.

 

Potential Mitigations

Phase: Architecture and Design, Operation

Description: 

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Phase: Architecture and Design, Operation

Description: 

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Phase: Architecture and Design

Description: 

Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

CVE References

  • CVE-2002-1688
    • Web browser cross domain problem when user hits “back” button.
  • CVE-2003-1026
    • Web browser cross domain problem when user hits “back” button.
  • CVE-2002-1770
    • Cross-domain issue – third party product passes code to web browser, which executes it in unsafe zone.
  • CVE-2005-2263
    • Run callback in different security context after it has been changed from untrusted to trusted. * note that “context switch before actions are completed” is one type of problem that happens frequently, espec. in browsers.

CWE-271 – Privilege Dropping / Lowering Errors

Read Time:2 Minute, 6 Second

Description

The software does not drop privileges before passing control of a resource to an actor that does not have those privileges.

In some contexts, a system executing with elevated permissions will hand off a process/file/etc. to another process or user. If the privileges of an entity are not reduced, then elevated privileges are spread throughout a system and possibly to an attacker.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-269

 

Consequences

Access Control: Gain Privileges or Assume Identity

If privileges are not dropped, neither are access rights of the user. Often these rights can be prevented from being dropped.

Access Control, Non-Repudiation: Gain Privileges or Assume Identity, Hide Activities

If privileges are not dropped, in some cases the system may record actions as the user which is being impersonated rather than the impersonator.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Phase: Architecture and Design, Operation

Description: 

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Phase: Architecture and Design

Description: 

Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

CVE References

  • CVE-2000-1213
    • Program does not drop privileges after acquiring the raw socket.
  • CVE-2001-0559
    • Setuid program does not drop privileges after a parsing error occurs, then calls another program to handle the error.
  • CVE-2001-0787
    • Does not drop privileges in related groups when lowering privileges.
  • CVE-2002-0080
    • Does not drop privileges in related groups when lowering privileges.
  • CVE-2001-1029
    • Does not drop privileges before determining access to certain files.
  • CVE-1999-0813
    • Finger daemon does not drop privileges when executing programs on behalf of the user being fingered.
  • CVE-1999-1326
    • FTP server does not drop privileges if a connection is aborted during file transfer.
  • CVE-2004-2504
    • Windows program running as SYSTEM does not drop privileges before executing other programs (many others like this, especially involving the Help facility).
  • CVE-2004-0213
    • Utility Manager launches winhlp32.exe while running with raised privileges, which allows local users to gain system privileges.
  • CVE-2004-0806
    • Setuid program does not drop privileges before executing program specified in an environment variable.
  • CVE-2004-0828
    • Setuid program does not drop privileges before processing file specified on command line.
  • CVE-2004-2070
    • Service on Windows does not drop privileges before using “view file” option, allowing code execution.

CWE-272 – Least Privilege Violation

Read Time:42 Second

Description

The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-271

 

Consequences

Access Control, Confidentiality: Gain Privileges or Assume Identity, Read Application Data, Read Files or Directories

An attacker may be able to access resources with the elevated privilege that could not be accessed with the attacker’s original privileges. This is particularly likely in conjunction with another flaw, such as a buffer overflow.

 

Potential Mitigations

Phase: Architecture and Design, Operation

Description: 

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Phase: Architecture and Design

Description: 

Follow the principle of least privilege when assigning access rights to entities in a software system.

Phase: Architecture and Design

Description: 

CVE References

CWE-273 – Improper Check for Dropped Privileges

Read Time:1 Minute, 39 Second

Description

The software attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.

If the drop fails, the software will continue to run with the raised privileges, which might provide additional access to unprivileged users.

In Windows based environments that have access control, impersonation is used so that access checks can be performed on a client identity by a server with higher privileges. By impersonating the client, the server is restricted to client-level security — although in different threads it may have much higher privileges.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-754
CWE-754
CWE-271
CWE-252

 

Consequences

Access Control: Gain Privileges or Assume Identity

If privileges are not dropped, neither are access rights of the user. Often these rights can be prevented from being dropped.

Access Control, Non-Repudiation: Gain Privileges or Assume Identity, Hide Activities

If privileges are not dropped, in some cases the system may record actions as the user which is being impersonated rather than the impersonator.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Phase: Implementation

Effectiveness: High

Description: 

Check the results of all functions that return a value and verify that the value is expected.

Checking the return value of the function will typically be sufficient, however beware of race conditions (CWE-362) in a concurrent environment.

Phase: Implementation

Description: 

In Windows, make sure that the process token has the SeImpersonatePrivilege(Microsoft Server 2003). Code that relies on impersonation for security must ensure that the impersonation succeeded, i.e., that a proper privilege demotion happened.

CVE References

  • CVE-2006-4447
    • Program does not check return value when invoking functions to drop privileges, which could leave users with higher privileges than expected by forcing those functions to fail.
  • CVE-2006-2916
    • Program does not check return value when invoking functions to drop privileges, which could leave users with higher privileges than expected by forcing those functions to fail.

CWE-274 – Improper Handling of Insufficient Privileges

Read Time:30 Second

Description

The software does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-703
CWE-269
CWE-271
CWE-280

 

Consequences

Other: Other, Alter Execution Logic

 

Potential Mitigations

CVE References

  • CVE-2001-1564
    • System limits are not properly enforced after privileges are dropped.
  • CVE-2005-3286
    • Firewall crashes when it can’t read a critical memory block that was protected by a malicious process.
  • CVE-2005-1641
    • Does not give admin sufficient privileges to overcome otherwise legitimate user actions.

CWE-276 – Incorrect Default Permissions

Read Time:46 Second

Description

During installation, installed file permissions are set to allow anyone to modify those files.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-732
CWE-732

 

Consequences

Confidentiality, Integrity: Read Application Data, Modify Application Data

 

Potential Mitigations

Phase: Architecture and Design, Operation

Description: 

The architecture needs to access and modification attributes for files to only those users who actually require those actions.

Phase: Architecture and Design

Description: 

CVE References

  • CVE-2001-1550
    • World-writable log files allow information loss; world-readable file has cleartext passwords.
  • CVE-2002-1844
    • Windows product uses insecure permissions when installing on Solaris (genesis: port error).
  • CVE-2001-0497
    • Insecure permissions for a shared secret key file. Overlaps cryptographic problem.
  • CVE-1999-0426
    • Default permissions of a device allow IP spoofing.

CWE-277 – Insecure Inherited Permissions

Read Time:30 Second

Description

A product defines a set of insecure permissions that are inherited by objects that are created by the program.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-732

 

Consequences

Confidentiality, Integrity: Read Application Data, Modify Application Data

 

Potential Mitigations

Phase: Architecture and Design, Operation

Description: 

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Phase: Architecture and Design

Description: 

CVE References

  • CVE-2002-1786
    • Insecure umask for core dumps [is the umask preserved or assigned?].