Improper Check for Dropped Privileges
Weakness ID: 273 (Weakness Base)Status: Incomplete
+ Description

Description Summary

The software attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.

Extended Description

If the drop fails, the software will continue to run with the raised privileges, which might provide additional access to unprivileged users.

+ Time of Introduction
  • Architecture and Design
  • Implementation
  • Operation
+ Applicable Platforms

Languages

All

+ Modes of Introduction

This issue is likely to occur in restrictive environments in which the operating system or application provides fine-grained control over privilege management.

+ Common Consequences
ScopeEffect
Authorization

If privileges are not dropped, neither are access rights of the user. Often these rights can be prevented from being dropped.

Authentication

If privileges are not dropped, in some cases the system may record actions as the user which is being impersonated rather than the impersonator.

+ Likelihood of Exploit

Medium

+ Demonstrative Examples

Example 1

(Bad Code)
Example Languages: C and C++ 
bool DoSecureStuff(HANDLE hPipe) {
bool fDataWritten = false;
ImpersonateNamedPipeClient(hPipe);
HANDLE hFile = CreateFile(...);
/../
RevertToSelf()
/../
}

Since we did not check the return value of ImpersonateNamedPipeClient, we do not know if the call succeeded.

+ Potential Mitigations

Phase: Architecture and Design

Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.

Phase: Implementation

In Windows make sure that the process token has the SeImpersonatePrivilege(Microsoft Server 2003).

Phase: Implementation

Always check all of your return values.

+ Other Notes

In Microsoft Operating environments that have access control, impersonation is used so that access checks can be performed on a client identity by a server with higher privileges. By impersonating the client, the server is restricted to client-level security -- although in different threads it may have much higher privileges. Code which relies on this for security must ensure that the impersonation succeeded-- i.e., that a proper privilege demotion happened.

+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class271Privilege Dropping / Lowering Errors
Development Concepts (primary)699
Research Concepts1000
ChildOfCategoryCategory634Weaknesses that Affect System Processes
Resource-specific Weaknesses (primary)631
ChildOfCategoryCategory748CERT C Secure Coding Section 50 - POSIX (POS)
Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734
ChildOfWeakness ClassWeakness Class754Improper Check for Unusual or Exceptional Conditions
Research Concepts (primary)1000
PeerOfWeakness BaseWeakness Base252Unchecked Return Value
Research Concepts1000
+ Affected Resources
  • System Process
+ Causal Nature

Explicit

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPFailure to check whether privileges were dropped successfully
CERT C Secure CodingPOS37-CEnsure that privilege relinquishment is successful
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
CLASPExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Common Consequences, Description, Modes of Introduction, Relationships, Other Notes, Taxonomy Mappings, Weakness Ordinalities
2008-11-24CWE Content TeamMITREInternal
updated Relationships, Taxonomy Mappings
2009-03-10CWE Content TeamMITREInternal
updated Description, Name, Relationships
2009-05-27CWE Content TeamMITREInternal
updated Name
Previous Entry Names
Change DatePrevious Entry Name
2009-03-10Failure to Check Whether Privileges Were Dropped Successfully
2009-05-27Improper Check for Successfully Dropped Privileges
Back to top