Execution with Unnecessary Privileges| ID: 250 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Class |
Description
The software performs an operation at a privilege level that is
higher than the minimum level required, which creates new weaknesses or
amplifies the consequences of other weaknesses.
Extended DescriptionNew weaknesses can be exposed because running with extra privileges, such
as root or Administrator, can disable the normal security checks being
performed by the operating system or surrounding environment. Other
pre-existing weaknesses can turn into security vulnerabilities if they occur
while operating at raised privileges.Privilege management functions can behave in some less-than-obvious ways,
and they have different quirks on different platforms. These inconsistencies
are particularly pronounced if you are transitioning from one non-root user
to another. Signal handlers and spawned processes run at the privilege of
the owning process, so if a process is running as root when a signal fires
or a sub-process is executed, the signal handler or sub-process will operate
with root privileges.
Likelihood of Exploit: Medium
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Installation
- Architecture and Design
- Operation
Related Attack Patterns
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| ConfidentialityIntegrityAvailabilityAccess_Control | Gain privileges / assume
identityExecute unauthorized code or
commandsRead application
dataDoS: crash / exit /
restart | An attacker will be able to gain access to any resources that are
allowed by the extra privileges. Common results include executing code,
disabling services, and reading restricted data. |
Detection Methods
| Name | Description | Effectiveness | Notes |
|---|
| Manual Analysis | This weakness can be detected using tools and techniques that require
manual (human) analysis, such as penetration testing, threat modeling,
and interactive tools that allow the tester to record and modify an
active session. | | |
| Black Box | Use monitoring tools that examine the software's process as it
interacts with the operating system and the network. This technique is
useful in cases when source code is unavailable, if the software was not
developed by you, or if you want to verify that the build phase did not
introduce any new weaknesses. Examples include debuggers that directly
attach to the running process; system-call tracing utilities such as
truss (Solaris) and strace (Linux); system activity monitors such as
FileMon, RegMon, Process Monitor, and other Sysinternals utilities
(Windows); and sniffers and protocol analyzers that monitor network
traffic.Attach the monitor to the process and perform a login. Look for
library functions and system calls that indicate when privileges are
being raised or dropped. Look for accesses of resources that are
restricted to normal users. | | |
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Architecture and DesignOperation | Environment Hardening | Run your code using the lowest privileges that are required to
accomplish the necessary tasks [R.250.2]. If possible, create isolated
accounts with limited privileges that are only used for a single task.
That way, a successful attack will not immediately give the attacker
access to the rest of the software or its environment. For example,
database applications rarely need to run as the database administrator,
especially in day-to-day operations. | | |
| Architecture and Design | Separation of PrivilegeIdentify and Reduce Attack Surface | Identify the functionality that requires additional privileges, such
as access to privileged operating system resources. Wrap and centralize
this functionality if possible, and isolate the privileged code as much
as possible from other code [R.250.2]. Raise privileges as late as
possible, and drop them as soon as possible to avoid CWE-271. Avoid
weaknesses such as CWE-288 and CWE-420 by protecting all possible
communication channels that could interact with the privileged code,
such as a secondary socket that is only intended to be accessed by
administrators. | | |
| Implementation | | Perform extensive input validation for any privileged code that must
be exposed to the user and reject anything that does not fit your strict
requirements. | | |
| Implementation | | When dropping privileges, ensure that they have been dropped
successfully to avoid CWE-273. As protection mechanisms in the
environment get stronger, privilege-dropping calls may fail even if it
seems like they would always succeed. | | |
| Implementation | | If circumstances force you to run with extra privileges, then
determine the minimum access level necessary. First identify the
different permissions that the software and its users will need to
perform their actions, such as file read and write permissions, network
socket permissions, and so forth. Then explicitly allow those actions
while denying all else [R.250.2]. Perform extensive input validation and
canonicalization to minimize the chances of introducing a separate
vulnerability. This mitigation is much more prone to error than dropping
the privileges in the first place. | | |
| OperationSystem Configuration | Environment Hardening | Ensure that the software runs properly under the Federal Desktop Core
Configuration (FDCC) [R.250.4] or an equivalent hardening configuration
guide, which many organizations use to limit the attack surface and
potential risk of deployed software. | | |
RelationshipsThere is a close association with CWE-653 (Insufficient Separation of
Privileges). CWE-653 is about providing separate components for each
privilege; CWE-250 is about ensuring that each component has the least
amount of privileges possible.
| Related CWE | Type | View | Chain |
|---|
| CWE-250 ChildOf CWE-901 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following code calls chroot() to restrict the application to a
subset of the filesystem below APP_HOME in order to prevent an attacker from
using the program to gain unauthorized access to files located elsewhere.
The code then opens a file specified by the user and processes the contents
of the file.
- This code temporarily raises the program's privileges to allow
creation of a new user folder.
Observed Examples
- CVE-2007-4217 : FTP client program on a certain OS runs with setuid privileges and has a buffer overflow. Most clients do not need extra privileges, so an overflow is not a vulnerability for those clients.
- CVE-2008-1877 : Program runs with privileges and calls another program with the same privileges, which allows read of arbitrary files.
- CVE-2007-5159 : OS incorrectly installs a program with setuid privileges, allowing users to gain privileges.
- CVE-2008-4638 : Composite: application running with high privileges allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file.
- CVE-2008-0162 : Program does not drop privileges before calling another program, allowing code execution.
- CVE-2008-0368 : setuid root program allows creation of arbitrary files through command line argument.
- CVE-2007-3931 : Installation script installs some programs as setuid when they shouldn't be.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| 7 Pernicious Kingdoms | | Often Misused: Privilege Management | |
| CERT Java Secure Coding | SER09-J | Minimize privileges before deserializing from a privilege
context | |
References:
- Jerome H. Saltzer Michael D. Schroeder .The Protection of Information in Computer
Systems. Proceedings of the IEEE 63. Published on September, 1975.
- Sean Barnum Michael Gegick .Least Privilege. Published on 2005-09-14.
- M. Howard D. LeBlanc .Writing Secure Code 2nd Edition. Microsoft. Section:'Chapter 7, "Running with Least Privilege" Page
207'. Published on 2002.
- NIST .Federal Desktop Core Configuration.
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 16: Executing Code With Too Much Privilege." Page
243'. Published on 2010.
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 9, "Privilege Vulnerabilities", Page
477.'. Published on 2006.
