Improper Check for Dropped Privileges |
Weakness ID: 273 (Weakness Base) | Status: Incomplete |
Description Summary
Extended Description
If the drop fails, the software will continue to run with the raised privileges, which might provide additional access to unprivileged users.
This issue is likely to occur in restrictive environments in which the operating system or application provides fine-grained control over privilege management. |
Scope | Effect |
---|---|
Authorization | If privileges are not dropped, neither are access rights of the user. Often these rights can be prevented from being dropped. |
Authentication | If privileges are not dropped, in some cases the system may record actions as the user which is being impersonated rather than the impersonator. |
Example 1
Since we did not check the return value of ImpersonateNamedPipeClient, we do not know if the call succeeded.
Phase: Architecture and Design Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges. |
Phase: Implementation In Windows make sure that the process token has the SeImpersonatePrivilege(Microsoft Server 2003). |
Phase: Implementation Always check all of your return values. |
In Microsoft Operating environments that have access control, impersonation is used so that access checks can be performed on a client identity by a server with higher privileges. By impersonating the client, the server is restricted to client-level security -- although in different threads it may have much higher privileges. Code which relies on this for security must ensure that the impersonation succeeded-- i.e., that a proper privilege demotion happened. |
Ordinality | Description |
---|---|
Primary | (where the weakness exists independent of other weaknesses) |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Class | 271 | Privilege Dropping / Lowering Errors | Development Concepts (primary)699 Research Concepts1000 |
ChildOf | Category | 634 | Weaknesses that Affect System Processes | Resource-specific Weaknesses (primary)631 |
ChildOf | Category | 748 | CERT C Secure Coding Section 50 - POSIX (POS) | Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734 |
ChildOf | Weakness Class | 754 | Improper Check for Unusual or Exceptional Conditions | Research Concepts (primary)1000 |
PeerOf | Weakness Base | 252 | Unchecked Return Value | Research Concepts1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
CLASP | Failure to check whether privileges were dropped successfully | ||
CERT C Secure Coding | POS37-C | Ensure that privilege relinquishment is successful |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
CLASP | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Common Consequences, Description, Modes of Introduction, Relationships, Other Notes, Taxonomy Mappings, Weakness Ordinalities | ||||
2008-11-24 | CWE Content Team | MITRE | Internal | |
updated Relationships, Taxonomy Mappings | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Description, Name, Relationships | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Name | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2009-03-10 | Failure to Check Whether Privileges Were Dropped Successfully | |||
2009-05-27 | Improper Check for Successfully Dropped Privileges | |||