CWE
CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.1)  

CWE-266: Incorrect Privilege Assignment

 
Incorrect Privilege Assignment
Weakness ID: 266 (Weakness Base)Status: Draft
+ Description

Description Summary

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Access Control

Technical Impact: Gain privileges / assume identity

+ Demonstrative Examples

Example 1

Evidence of privilege change:

(Bad Code)
Example Language:
seteuid(0);
/* do some stuff */
seteuid(getuid());
(Bad Code)
Example Language: Java 
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
// privileged code goes here, for example:
System.loadLibrary("awt");
return null;
// nothing to return
}
+ Observed Examples
ReferenceDescription
CVE-1999-1193untrusted user placed in unix "wheel" group
CVE-2005-2741Product allows users to grant themselves certain rights that can be used to escalate privileges.
CVE-2005-2496Product uses group ID of a user instead of the group, causing it to run with different privileges. This is resultant from some other unknown issue.
CVE-2004-0274Product mistakenly assigns a particular status to an entity, leading to increased privileges.
+ Potential Mitigations

Phases: Architecture and Design; Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Follow the principle of least privilege when assigning access rights to entities in a software system.

+ Weakness Ordinalities
OrdinalityDescription
Resultant
(where the weakness is typically related to the presence of some other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory265Privilege / Sandbox Issues
Development Concepts (primary)699
ChildOfWeakness BaseWeakness Base269Improper Privilege Management
Research Concepts (primary)1000
ChildOfCategoryCategory634Weaknesses that Affect System Processes
Resource-specific Weaknesses (primary)631
ChildOfCategoryCategory723OWASP Top Ten 2004 Category A2 - Broken Access Control
Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOfCategoryCategory859CERT Java Secure Coding Section 14 - Platform Security (SEC)
Weaknesses Addressed by the CERT Java Secure Coding Standard (primary)844
CanAlsoBeWeakness ClassWeakness Class286Incorrect User Management
Research Concepts1000
ParentOfWeakness VariantWeakness Variant9J2EE Misconfiguration: Weak Access Permissions for EJB Methods
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant520.NET Misconfiguration: Use of Impersonation
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant556ASP.NET Misconfiguration: Use of Identity Impersonation
Research Concepts (primary)1000
+ Affected Resources
  • System Process
+ Causal Nature

Explicit

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERIncorrect Privilege Assignment
CERT Java Secure CodingSEC02-JDo not allow doPrivileged() blocks to leak sensitive information outside a trust boundary
CERT Java Secure CodingSEC03-JDo not allow tainted variables in doPrivileged blocks
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Description, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
2009-03-10CWE Content TeamMITREInternal
updated Relationships
2009-12-28CWE Content TeamMITREInternal
updated Potential_Mitigations
2010-06-21CWE Content TeamMITREInternal
updated Potential_Mitigations
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences, Relationships, Taxonomy_Mappings
Page Last Updated: September 12, 2011