Difference between revisions of "Failure to check whether privileges were dropped successfully"

From OWASP
Jump to: navigation, search
(Reverting to last version not containing links to www.textvargetc.com)
 
(8 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
{{Template:SecureSoftware}}
 
{{Template:SecureSoftware}}
 +
{{Template:Vulnerability}}
  
==Overview==
+
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
If one changes security privileges, one should ensure that the change was successful.
+
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
  
==Consequences ==
+
==Description==
  
* Authorization: If privileges are not dropped, neither are access rights of the user. Often these rights can be prevented from being dropped.
+
If one changes security privileges, one should ensure that the change was successful.
  
* Authentication: If privileges are not dropped, in some cases the system may record actions as the user which is being impersonated rather than the impersonator.
+
'''Consequences'''
  
==Exposure period ==
+
* Authorization: If privileges are not dropped, neither are access rights of the user. Often these rights can be prevented from being dropped.
 +
* Authentication: If privileges are not dropped, in some cases the system may record actions as the user which is being impersonated rather than the impersonator.
  
* Implementation: Properly check all return values.
+
'''Exposure period'''
  
==Platform ==
+
* Implementation: Properly check all return values.
  
* Language: C, C++, Java, or any language which can make system calls or has its own privilege system.
+
'''Platform'''
  
* Operating platforms: UNIX, Windows NT, Windows 2000, Windows XP, or any platform which has access control or authentication.  
+
* Language: C, C++, Java, or any language which can make system calls or has its own privilege system.
 +
* Operating platforms: UNIX, Windows NT, Windows 2000, Windows XP, or any platform which has access control or authentication.  
  
==Required resources ==
+
'''Required resources'''
  
 
A process with changed privileges.
 
A process with changed privileges.
  
==Severity ==
+
'''Severity'''
  
 
Very High
 
Very High
  
==Likelihood  of exploit ==
+
'''Likelihood  of exploit'''
  
 
Medium
 
Medium
 
==Avoidance and mitigation ==
 
 
* Implementation: In Windows make sure that the process token has the SeImpersonatePrivilege(Microsoft Server 2003).
 
 
* Implementation: Always check all of your return values.
 
 
==Discussion ==
 
  
 
In Microsoft operating environments that have access control, impersonation is used so that access checks can be performed on a client identity by a server with higher privileges. By impersonating the client, the server is restricted to client-level security - although in different threads it may have much higher privileges.  
 
In Microsoft operating environments that have access control, impersonation is used so that access checks can be performed on a client identity by a server with higher privileges. By impersonating the client, the server is restricted to client-level security - although in different threads it may have much higher privileges.  
Line 45: Line 40:
 
Code which relies on this for security must ensure that the impersonation succeeded - i.e., that a proper privilege demotion happened.
 
Code which relies on this for security must ensure that the impersonation succeeded - i.e., that a proper privilege demotion happened.
  
==Examples ==
+
==Risk Factors==
 +
 
 +
TBD
 +
 
 +
==Examples==
  
 
In C/C++
 
In C/C++
Line 60: Line 59:
 
Since we did not check the return value of ImpersonateNamedPipeClient, we do not know if the call succeeded.
 
Since we did not check the return value of ImpersonateNamedPipeClient, we do not know if the call succeeded.
  
==Related problems ==
 
  
Not available.
 
  
 +
==Related [[Attacks]]==
  
[[Category:Vulnerability]]
+
* [[Attack 1]]
 +
* [[Attack 2]]
  
[[Category:General Logic Error Vulnerability]]
 
  
 +
==Related [[Vulnerabilities]]==
 +
 +
* [[Vulnerability 1]]
 +
* [[Vulnerabiltiy 2]]
 +
 +
 +
==Related [[Controls]]==
 +
 +
* Implementation: In Windows make sure that the process token has the SeImpersonatePrivilege(Microsoft Server 2003).
 +
* Implementation: Always check all of your return values.
 +
 +
 +
==Related [[Technical Impacts]]==
 +
 +
* [[Technical Impact 1]]
 +
* [[Technical Impact 2]]
 +
 +
 +
==References==
 +
TBD
 +
 +
[[Category:FIXME|add links
 +
 +
In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki>
 +
 +
Availability Vulnerability
 +
 +
Authorization Vulnerability
 +
 +
Authentication Vulnerability
 +
 +
Concurrency Vulnerability
 +
 +
Configuration Vulnerability
 +
 +
Cryptographic Vulnerability
 +
 +
Encoding Vulnerability
 +
 +
Error Handling Vulnerability
 +
 +
Input Validation Vulnerability
 +
 +
Logging and Auditing Vulnerability
 +
 +
Session Management Vulnerability]]
 +
 +
__NOTOC__
 +
 +
 +
[[Category:OWASP ASDR Project]]
 +
[[Category:Vulnerability]]
 +
[[Category:General Logic Error Vulnerability]]
 
[[Category:OWASP_CLASP_Project]]
 
[[Category:OWASP_CLASP_Project]]

Latest revision as of 13:30, 27 May 2009

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


Last revision (mm/dd/yy): 05/27/2009

Vulnerabilities Table of Contents

Description

If one changes security privileges, one should ensure that the change was successful.

Consequences

  • Authorization: If privileges are not dropped, neither are access rights of the user. Often these rights can be prevented from being dropped.
  • Authentication: If privileges are not dropped, in some cases the system may record actions as the user which is being impersonated rather than the impersonator.

Exposure period

  • Implementation: Properly check all return values.

Platform

  • Language: C, C++, Java, or any language which can make system calls or has its own privilege system.
  • Operating platforms: UNIX, Windows NT, Windows 2000, Windows XP, or any platform which has access control or authentication.

Required resources

A process with changed privileges.

Severity

Very High

Likelihood of exploit

Medium

In Microsoft operating environments that have access control, impersonation is used so that access checks can be performed on a client identity by a server with higher privileges. By impersonating the client, the server is restricted to client-level security - although in different threads it may have much higher privileges.

Code which relies on this for security must ensure that the impersonation succeeded - i.e., that a proper privilege demotion happened.

Risk Factors

TBD

Examples

In C/C++

bool DoSecureStuff(HANDLE hPipe){ {
   bool fDataWritten = false;
   ImpersonateNamedPipeClient(hPipe);
   HANDLE hFile = CreateFile(...);
   /../ RevertToSelf()/../
}

Since we did not check the return value of ImpersonateNamedPipeClient, we do not know if the call succeeded.


Related Attacks


Related Vulnerabilities


Related Controls

  • Implementation: In Windows make sure that the process token has the SeImpersonatePrivilege(Microsoft Server 2003).
  • Implementation: Always check all of your return values.


Related Technical Impacts


References

TBD