CWE-269 特权管理不恰当
Improper Privilege Management
结构: Simple
Abstraction: Class
状态: Draft
被利用可能性: Medium
基本描述
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 284 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 284 cwe_View_ID: 699 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Access Control | Gain Privileges or Assume Identity |
可能的缓解方案
MIT-1 ['Architecture and Design', 'Operation']
策略:
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
MIT-48 Architecture and Design
策略: Separation of Privilege
Follow the principle of least privilege when assigning access rights to entities in a software system.
MIT-49 Architecture and Design
策略: Separation of Privilege
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
示例代码
例
This code temporarily raises the program's privileges to allow creation of a new user folder.
bad Python
#avoid CWE-22 and CWE-78
print('Usernames cannot contain invalid characters')
return False
try:
os.mkdir('/home/' + username)
lowerPrivileges()
except OSError:
return False
return True
While the program only raises its privilege level to create the folder and immediately lowers it again, if the call to os.mkdir() throws an exception, the call to lowerPrivileges() will not occur. As a result, the program is indefinitely operating in a raised privilege state, possibly allowing further exploitation to occur.
例
Evidence of privilege change:
bad C
/ do some stuff /
seteuid(getuid());
bad Java
// privileged code goes here, for example:
System.loadLibrary("awt");
return null;
// nothing to return
例
This code intends to allow only Administrators to print debug information about a system.
bad Java
public void printDebugInfo(User requestingUser){
break;
default:
break;
else{
While the intention was to only allow Administrators to print the debug information, the code as written only excludes those the with the role of "GUEST". Someone with the role of "ADMIN" or "USER" will be allowed access, which goes against the original intent. An attacker may be able to use this debug information to craft an attack on the system.
例
This code allows someone with the role of "ADMIN" or "OPERATOR" to reset a user's password. The role of "OPERATOR" is intended to have less privileges than an "ADMIN", but still be able to help users with small issues such as forgotten passwords.
bad Java
public void resetPassword(User requestingUser, User user, String password ){
break;
case USER:
break;
default:
break;
else{
This code does not check the role of the user whose password is being reset. It is possible for an Operator to gain Admin privileges by resetting the password of an Admin account and taking control of that account.
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-2001-1555 | Terminal privileges are not reset when a user logs out. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1555 |
| CVE-2001-1514 | Does not properly pass security context to child processes in certain cases, allows privilege escalation. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1514 |
| CVE-2001-0128 | Does not properly compute roles. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0128 |
| CVE-1999-1193 | untrusted user placed in unix "wheel" group | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1193 |
| CVE-2005-2741 | Product allows users to grant themselves certain rights that can be used to escalate privileges. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2741 |
| CVE-2005-2496 | Product uses group ID of a user instead of the group, causing it to run with different privileges. This is resultant from some other unknown issue. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2496 |
| CVE-2004-0274 | Product mistakenly assigns a particular status to an entity, leading to increased privileges. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0274 |
| CVE-2007-4217 | FTP client program on a certain OS runs with setuid privileges and has a buffer overflow. Most clients do not need extra privileges, so an overflow is not a vulnerability for those clients. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4217 |
| CVE-2007-5159 | OS incorrectly installs a program with setuid privileges, allowing users to gain privileges. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5159 |
| CVE-2008-4638 | Composite: application running with high privileges allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4638 |
| CVE-2007-3931 | Installation script installs some programs as setuid when they shouldn't be. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3931 |
| CVE-2002-1981 | Roles have access to dangerous procedures (Accessible entities). | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1981 |
| CVE-2002-1671 | Untrusted object/method gets access to clipboard (Accessible entities). | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1671 |
| CVE-2000-0315 | Traceroute program allows unprivileged users to modify source address of packet (Accessible entities). | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0315 |
| CVE-2000-0506 | User with capability can prevent setuid program from dropping privileges (Unsafe privileged actions). | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0506 |
Notes
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| PLOVER | Privilege Management Error |
相关攻击模式
- CAPEC-122
- CAPEC-233
- CAPEC-58