Least Privilege Violation |
| Weakness ID: 272 (Weakness Base) | Status: Incomplete |
DescriptionDescription Summary
Time of Introduction- Architecture and Design
- Implementation
- Operation
Applicable PlatformsLanguages
All
Common Consequences| Scope | Effect |
|---|---|
Access Control | An attacker may be able to access resources with the elevated privilege that he should not have been able to access. This is particularly likely in conjunction with another flaw -- e.g., a buffer overflow. |
Demonstrative ExamplesExample 1
Example 2
The following code calls chroot() to restrict the application to a subset of the filesystem below APP_HOME in order to prevent an attacker from using the program to gain unauthorized access to files located elsewhere. The code then opens a file specified by the user and processes the contents of the file.
Constraining the process inside the application's home directory before opening any files is a valuable security measure. However, the absence of a call to setuid() with some non-zero value means the application is continuing to operate with unnecessary root privileges. Any successful exploit carried out by an attacker against the application can now result in a privilege escalation attack because any malicious operations will be performed with the privileges of the superuser. If the application drops to the privilege level of a non-root user, the potential for damage is substantially reduced.
Potential MitigationsVery carefully manage the setting, management and handling of privileges. Explicitly manage trust zones in the software. |
Follow the principle of least privilege when assigning access rights to entities in a software system. |
Phase: Architecture and Design Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges. |
Other Notes| The failure to drop system privileges when it is reasonable to do so is not a vulnerability by itself. It does, however, serve to significantly increase the Severity of other vulnerabilities. According to the principle of least privilege, access should be allowed only when it is absolutely necessary to the function of a given system, and only for the minimal necessary amount of time. Any further allowance of privilege widens the window of time during which a successful exploitation of the system will provide an attacker with that same privilege. If at all possible, limit the allowance of system privilege to small, simple sections of code that may be called atomically. When a program calls a privileged function, such as chroot(), it must first acquire root privilege. As soon as the privileged operation has completed, the program should drop root privilege and return to the privilege level of the invoking user. |
Weakness Ordinalities| Ordinality | Description |
|---|---|
Primary | (where the weakness exists independent of other weaknesses) |
Relationships| Nature | Type | ID | Name | View(s) this relationship pertains to |
|---|---|---|---|---|
| ChildOf |  Category | 254 | Security Features | Seven Pernicious Kingdoms (primary)700 |
| ChildOf |  Weakness Class | 271 | Privilege Dropping / Lowering Errors | Development Concepts (primary)699 Research Concepts (primary)1000 |
| ChildOf | Category | 748 | CERT C Secure Coding Section 50 - POSIX (POS) | Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734 |
Causal NatureExplicit
Taxonomy Mappings| Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
|---|---|---|---|
| 7 Pernicious Kingdoms | Least Privilege Violation | ||
| CLASP | Failure to drop privileges when reasonable | ||
| CERT C Secure Coding | POS02-C | Follow the principle of least privilege |
Related Attack Patterns Maintenance Notes| CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category. |
Content History| Submissions | ||||
|---|---|---|---|---|
| Submission Date | Submitter | Organization | Source | |
| 7 Pernicious Kingdoms | Externally Mined | |||
| Modifications | ||||
| Modification Date | Modifier | Organization | Source | |
| 2008-07-01 | Eric Dalci | Cigital | External | |
| updated Time of Introduction | ||||
| 2008-09-08 | CWE Content Team | MITRE | Internal | |
| updated Common Consequences, Relationships, Other Notes, Taxonomy Mappings, Weakness Ordinalities | ||||
| 2008-10-14 | CWE Content Team | MITRE | Internal | |
| updated Maintenance Notes | ||||
| 2008-11-24 | CWE Content Team | MITRE | Internal | |
| updated Relationships, Taxonomy Mappings | ||||
| 2009-03-10 | CWE Content Team | MITRE | Internal | |
| updated Demonstrative Examples | ||||
| 2009-05-27 | CWE Content Team | MITRE | Internal | |
| updated Demonstrative Examples | ||||
| 2009-12-28 | CWE Content Team | MITRE | Internal | |
| updated Potential Mitigations | ||||
