Improper Check for Dropped Privileges| ID: 273 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: INCOMPLETE |
| Abstraction Type: Base |
Description
The software attempts to drop privileges but does not check or
incorrectly checks to see if the drop succeeded.
Extended DescriptionIf the drop fails, the software will continue to run with the raised
privileges, which might provide additional access to unprivileged
users.
Likelihood of Exploit: Medium
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
- Operation
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Access_Control | Gain privileges / assume
identity | If privileges are not dropped, neither are access rights of the user.
Often these rights can be prevented from being dropped. |
| Access_ControlNon-Repudiation | Gain privileges / assume
identityHide activities | If privileges are not dropped, in some cases the system may record
actions as the user which is being impersonated rather than the
impersonator. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Architecture and Design | Separation of Privilege | Compartmentalize the system to have "safe" areas where trust
boundaries can be unambiguously drawn. Do not allow sensitive data to go
outside of the trust boundary and always be careful when interfacing
with a compartment outside of the safe area.Ensure that appropriate compartmentalization is built into the system
design and that the compartmentalization serves to allow for and further
reinforce privilege separation functionality. Architects and designers
should rely on the principle of least privilege to decide when it is
appropriate to use and to drop system privileges. | | |
| Implementation | | In Windows make sure that the process token has the
SeImpersonatePrivilege(Microsoft Server 2003). | | |
| Implementation | | Always check all of your return values. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-273 ChildOf CWE-889 | Category | CWE-888 | |
Demonstrative Examples (Details)
- This code attempts to take on the privileges of a user before
creating a file, thus avoiding performing the action with unnecessarily high
privileges:
Observed Examples
- CVE-2006-4447 : Program does not check return value when invoking functions to drop privileges, which could leave users with higher privileges than expected by forcing those functions to fail.
- CVE-2006-2916 : Program does not check return value when invoking functions to drop privileges, which could leave users with higher privileges than expected by forcing those functions to fail.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| CLASP | | Failure to check whether privileges were dropped
successfully | |
| CERT C Secure Coding | POS37-C | Ensure that privilege relinquishment is
successful | |
References:None
