Failure to Check Whether Privileges Were Dropped

Description

If one changes security privileges, one should ensure that the change was successful.

Applies To

• Language: C, C++, Java, .NET or any language which can make system calls or has its own privilege system.
• Operating platforms: UNIX, Windows NT, Windows 2000, Windows XP, or any platform which has access control or authentication.

Example

The following code shows an example of a privilege modification without checking the return value:

bool DoSecureStuff(HANDLE hPipe){ {
bool fDataWritten = false;
ImpersonateNamedPipeClient(hPipe);
HANDLE hFile = CreateFile(...);
/../ RevertToSelf()/../
} 

Since we did not check the return value of ImpersonateNamedPipeClient, we do not know if the call succeeded.

Impact

• Authorization: If privileges are not dropped, neither are access rights of the user.
• Authentication: If privileges are not dropped, in some cases the system may record actions as the user which is being impersonated rather than the impersonator.

Vulnerabilities

• Failure to check return value or error code when dropping privileges.

Countermeasures

• Implementation: In Windows make sure that the process token has the SeImpersonatePrivilege(Microsoft Server 2003).
• Implementation: Always check all of your return values.

Vulnerability Patterns

• Failure to Check Whether Privileges Were Dropped Vulnerability Pattern

How Tos

• How To Recognize Failure to Check Whether Privileges Were Dropped Vulnerabilities
• How To Protect from Failure to Check Whether Privileges Were Dropped
• How To Perform an Attack Based On Failure to Check Whether Privileges Were Dropped