Failure to Drop Privileges When Reasonable

Description

Failing to drop privileges when it is reasonable to do so results in a lengthened time of exposure. Running at higher privileges than necessary will allow successful attacks to result in higher damage potential.

Applies To

• Language: C, C++, Java, .NET or any language which can make system calls or has its own privilege system.
• Operating platforms: UNIX, Windows NT, Windows 2000, Windows XP, or any platform which has access control or authentication.

Example

The following code sets the running process to higher privileges but the command to reduce priveleges is commented out:

setuid(0);
//Do some important stuff
//setuid(old_uid);
//Do some non privlidged stuff.

Impact

• Access control: An attacker may be able to access resources with the elevated privilege that he should not have been able to access. This is particularly likely in conjunction with another flaw such as a buffer overflow.

Vulnerabilities

• Failure to drop privileges once they are no longer needed.

Countermeasures

• Design: Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.
• Implementation: Ensure that code that raises priveleges has a matching call to drop privileges once the higher privileges are no longer necessary.

Vulnerability Patterns

• Failure to Drop Privileges When Reasonable Vulnerability Pattern

How Tos

• How To Recognize Failure to Drop Privileges When Reasonable Vulnerabilities
• How To Protect from Failure to Drop Privileges When Reasonable
• How To Perform an Attack Based On Failure to Drop Privileges When Reasonable