Failure to Check Whether Privileges Were Dropped

From Guidance Share

Jump to: navigation, search

Contents

Description

If one changes security privileges, one should ensure that the change was successful.


Applies To

  • Language: C, C++, Java, .NET or any language which can make system calls or has its own privilege system.
  • Operating platforms: UNIX, Windows NT, Windows 2000, Windows XP, or any platform which has access control or authentication.


Example

The following code shows an example of a privilege modification without checking the return value:

bool DoSecureStuff(HANDLE hPipe){ {
bool fDataWritten = false;
ImpersonateNamedPipeClient(hPipe);
HANDLE hFile = CreateFile(...);
/../ RevertToSelf()/../
} 

Since we did not check the return value of ImpersonateNamedPipeClient, we do not know if the call succeeded.


Impact

  • Authorization: If privileges are not dropped, neither are access rights of the user.
  • Authentication: If privileges are not dropped, in some cases the system may record actions as the user which is being impersonated rather than the impersonator.


Vulnerabilities

  • Failure to check return value or error code when dropping privileges.


Countermeasures

  • Implementation: In Windows make sure that the process token has the SeImpersonatePrivilege(Microsoft Server 2003).
  • Implementation: Always check all of your return values.


Vulnerability Patterns


How Tos

Personal tools