...
Code Block | ||||
---|---|---|---|---|
| ||||
int establish(void) { struct sockaddr_in sa; /* listening socket's address */ int s; /* listening socket */ /* Fill up the structure with address and port number */ sa.sin_port = htons(portnum); /* Other system calls like socket() */ if (bind(s, (struct sockaddr *)&sa, sizeof(struct sockaddr_in)) < 0) { /* Perform cleanup */ } /* Return */ } int main(void) { int s = establish(); /* Block with accept() until a client connects */ switch (fork()) { case -1 : /* Error, clean up and quit */ case 0 : /* This is the child, handle the client */ default : /* This is the parent, continue blocking */ } return }0; } |
If a vulnerability is exploited in the main body of the program that allows an attacker to execute arbitrary code, this malicious code will run with elevated privileges.
...
Code Block | ||||
---|---|---|---|---|
| ||||
/* Code with elevated privileges */ int establish(void) { struct sockaddr_in sa; /* listening socket's address */ int s; /* listening socket */ /* Fill up the structure with address and port number */ sa.sin_port = htons(portnum); /* Other system calls like socket() */ if (bind(s, (struct sockaddr *)&sa, sizeof(struct sockaddr_in)) < 0) { /* Perform cleanup */ } /* Return */ } int main(void) { int s = establish(); /* Drop privileges permanently */ if (setuid(getuid()) == -1) { /* Handle the error */ } if (setuid(0) != -1) { /* Privileges can be restored, handle error */ } /* Block with accept() until a client connects */ switch (fork()) { case -1: /* Error, clean up and quit */ case 0: /* Close all open file descriptors * This is the child, handle the client */ default: /* This is the parent, continue blocking */ } return 0; } |
Risk Assessment
Failure to follow the principle of least privilege may allow exploits to execute with elevated privileges.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
POS02-C |
High |
Likely |
High | P9 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Klocwork |
| SV.BRM.HKEY_LOCAL_MACHINE SV.USAGERULES.PERMISSIONS |
Related Vulnerabilities
CVE-2009-2031 results from a violation of this recommendation. OpenSolaris, in smbfs snv_84 through snv_110, sets permissions based on mount-point options and not actual user information (obtained from the getuid()
and getgid()
functions). An attacker can exploit this to achieve higher permissions. Also, in a certain initialization mode, the code grants read, write, and execute permissions to users other than the owner, which can be exploited to make files world readable [xorl 2009].
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
ISO/IEC TR 24772 | Adherence to Least Privilege [XYN] |
MITRE CWE | CWE-250, Execution with unnecessary privileges CWE-272, Least privilege violation |
Bibliography
[DHS 2006] | Least Privilege |
[Saltzer 1974] |
[Saltzer 1975] |
[Wheeler 2003] | Section 7.4, "Minimize Privileges" |
[xorl 2009] | "OpenSolaris CIFS/SMB Invalid File Flags" |
...
...