Failure to Check Whether Privileges Were Dropped

From Guidance Share
Jump to navigationJump to search


If one changes security privileges, one should ensure that the change was successful.

Applies To

  • Language: C, C++, Java, .NET or any language which can make system calls or has its own privilege system.
  • Operating platforms: UNIX, Windows NT, Windows 2000, Windows XP, or any platform which has access control or authentication.


The following code shows an example of a privilege modification without checking the return value:

bool DoSecureStuff(HANDLE hPipe){ {
bool fDataWritten = false;
HANDLE hFile = CreateFile(...);
/../ RevertToSelf()/../

Since we did not check the return value of ImpersonateNamedPipeClient, we do not know if the call succeeded.


  • Authorization: If privileges are not dropped, neither are access rights of the user.
  • Authentication: If privileges are not dropped, in some cases the system may record actions as the user which is being impersonated rather than the impersonator.


  • Failure to check return value or error code when dropping privileges.


  • Implementation: In Windows make sure that the process token has the SeImpersonatePrivilege(Microsoft Server 2003).
  • Implementation: Always check all of your return values.

Vulnerability Patterns

How Tos