CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-266: Incorrect Privilege Assignment

 
Incorrect Privilege Assignment
Weakness ID: 266 (Weakness Base)Status: Draft
+ Description

Description Summary

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

Language-independent

+ Common Consequences
ScopeEffect

Technical Impact: Gain privileges / assume identity

A user can access restricted functionality and/or sensitive information that may include administrative functionality and user accounts.

+ Demonstrative Examples

Example 1

Evidence of privilege change:

(Bad Code)
Example Language:
seteuid(0);
/* do some stuff */
seteuid(getuid());
(Bad Code)
Example Language: Java 
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
// privileged code goes here, for example:
System.loadLibrary("awt");
return null;
// nothing to return
}

Example 2

This application sends a special intent with a flag that allows the receiving application to read a data file for backup purposes.

(Bad Code)
Example Language: Java 
Intent intent = new Intent();
intent.setAction("com.example.BackupUserData");
intent.setData(file_uri);
intent.addFlags(FLAG_GRANT_READ_URI_PERMISSION);
sendBroadcast(intent);
(Attack)
Example Language: Java 
public class CallReceiver extends BroadcastReceiver {
@Override
public void onReceive(Context context, Intent intent) {
Uri userData = intent.getData();
stealUserData(userData);
}
}

Any malicious application can register to receive this intent. Because of the FLAG_GRANT_READ_URI_PERMISSION included with the intent, the malicious receiver code can read the user's data.

+ Observed Examples
ReferenceDescription
untrusted user placed in unix "wheel" group
Product allows users to grant themselves certain rights that can be used to escalate privileges.
Product uses group ID of a user instead of the group, causing it to run with different privileges. This is resultant from some other unknown issue.
Product mistakenly assigns a particular status to an entity, leading to increased privileges.
+ Potential Mitigations

Phases: Architecture and Design; Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Phases: Architecture and Design; Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [R.266.1]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

+ Weakness Ordinalities
OrdinalityDescription
(where the weakness is typically related to the presence of some other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory265Privilege / Sandbox Issues
Development Concepts (primary)699
ChildOfWeakness BaseWeakness Base269Improper Privilege Management
Research Concepts (primary)1000
ChildOfCategoryCategory634Weaknesses that Affect System Processes
Resource-specific Weaknesses (primary)631
ChildOfCategoryCategory723OWASP Top Ten 2004 Category A2 - Broken Access Control
Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOfCategoryCategory859CERT Java Secure Coding Section 14 - Platform Security (SEC)
Weaknesses Addressed by the CERT Java Secure Coding Standard (primary)844
ChildOfCategoryCategory901SFP Cluster: Privilege
Software Fault Pattern (SFP) Clusters (primary)888
CanAlsoBeWeakness ClassWeakness Class286Incorrect User Management
Research Concepts1000
ParentOfWeakness VariantWeakness Variant9J2EE Misconfiguration: Weak Access Permissions for EJB Methods
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant520.NET Misconfiguration: Use of Impersonation
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant556ASP.NET Misconfiguration: Use of Identity Impersonation
Research Concepts (primary)1000
MemberOfViewView884CWE Cross-section
CWE Cross-section (primary)884
+ Affected Resources
  • System Process
+ Causal Nature

Explicit

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERIncorrect Privilege Assignment
CERT Java Secure CodingSEC00-JDo not allow privileged blocks to leak sensitive information across a trust boundary
CERT Java Secure CodingSEC01-JDo not allow tainted variables in privileged blocks
+ References
[R.266.1] [31] Sean Barnum and Michael Gegick. "Least Privilege". 2005-09-14. <https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/principles/351.html>.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Externally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01CigitalExternal
updated Time_of_Introduction
2008-09-08MITREInternal
updated Description, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
2009-03-10MITREInternal
updated Relationships
2009-12-28MITREInternal
updated Potential_Mitigations
2010-06-21MITREInternal
updated Potential_Mitigations
2011-06-01MITREInternal
updated Common_Consequences, Relationships, Taxonomy_Mappings
2012-05-11MITREInternal
updated Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings
2012-10-30MITREInternal
updated Potential_Mitigations, References
2014-02-18MITREInternal
updated Applicable_Platforms, Demonstrative_Examples
Page Last Updated: June 23, 2014