ASP.NET 2.0 Security Inspection Questions - Impersonation

From Guidance Share

Jump to: navigation, search

- J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Jason Taylor, Rudolph Araujo


Impersonation Vulnerabilities and Implications

Vulnerability

Implications

Revealing service account credentials to the client

An attacker could use these credentials to attack the server.

Code executes with higher privileges than expected

An attacker can do more damage when code runs with higher privileges.


The following questions can help you to identify vulnerable areas:

  • Does the application use hard-coded impersonation credentials?
  • Does the application clean up properly when it uses impersonation?


Does the application use hard-coded impersonation credentials?

If the code impersonates a service account, it should not pass hard-coded credentials to LogonUser. If the code needs multiple identities to access a range of downstream resources and services, it should use Microsoft Windows Serverâ„¢ 2003 protocol transition and the WindowsIdentity constructor. This allows the code to create a Windows token that is given only an account's user principal name (UPN). To access a network resource, the code needs delegation. To use delegation, your server needs to be configured as trusted for delegation in Active Directory.

The following code shows how to construct a Windows token using the WindowsIdentity constructor.

using System;
using System.Security.Principal;
public void ConstructToken(string upn, out WindowsPrincipal p)
{
 WindowsIdentity id = new WindowsIdentity(upn);
 p = new WindowsPrincipal(id);
}


Does the application clean up properly when it uses impersonation?

If the code uses programmatic impersonation, be sure that it uses structured exception handling and that the impersonation code is inside try blocks. Be sure that catch blocks are used to handle exceptions and that finally blocks are used to ensure that the impersonation is reverted. By using a finally block, the code ensures that the impersonation token is removed from the current thread, whether an exception is generated or not.

The application should not contain code similar to the following example:

try
{  
 ElevatePrivilege();
 // if ReadSecretFile throws an exception privileges will not be lowered
 ReadSecretFile();
 LowerPrivilege();
}
catch(FileException fe)
{
 ReportException();
}
  

Instead, it should contain code similar to the following:

try
{  
 ElevatePrivilege();
 // If ReadSecretFile throws an exception privileges will not be lowered
 ReadSecretFile();
}
catch(FileException fe)
{
 ReportException();
}
finally
{
 LowerPrivilege();
}
Personal tools