|
|
|
|
CWE-648 Individual Dictionary Definition (Draft 9)
Weakness ID
| Status: Incomplete 648 (Weakness Base) | | Description | Summary When an application contains certain functions that perform operations requiring an elevated level of privilege on the system
and callers of these APIs are not careful in ensuring that assumptions made by these APIs are valid, do not account for weaknesses in design/implementation
of the privileged APIs, call these APIs from an unsafe or unexpected context, or pass/receive data to or from the privileged function that may allow a malicious
user or process to elevate their privilege, the stage might be set for escalation of privilege, process hijacking or theft of sensitive
data. For instance, it is important to know if privileged APIs fail to properly shed their privileges before returning to the caller or if
the privileged function might make certain assumptions about the data, context or state information passed to it by the caller.
It is important to always know when and how privileged APIs can be called in order to ensure that their elevated level of privilege
cannot be exploited. | | Likelihood of Exploit | Low | | Common Consequences | Elevation of privilege Information disclosure Arbitrary code execution | | Enabling Factors for Exploitation |
An application contains functions running processes that hold higher privileges.
There is code in the application that calls the privileged APIs.
There is a way for a user to control the data that is being passed to the privileged API or control the context from
which it is being called.
| | Potential Mitigations |
Before calling privileged APIs always ensure that the assumptions made by the privileged code hold true prior to making the call.
Know architecture and implementation weaknesses of the privileged APIs and make sure to account for these weaknesses
before calling the privileged APIs to ensure that they can be called safely.
If privileged APIs make certain assumptions about data, context or state validity that are passed by the caller, the calling
code must ensure that these assumptions have been validated prior to making the call.
If privileged APIs fail to shed their privilege prior to returning to the calling code then calling code needs to shed these privileges
immediately and safely right after the call to the privileged APIs. In particular the calling code needs to ensure that under
no circumstances a privileged thread of execution is returned to the user or made available to user controlled processes.
Only call privileged APIs from safe, consistent and expected state.
Ensure that a failure or an error will not leave a system in a state where privileges are not properly shed and
privilege escalation is possible (i.e. fail securely with regards to handling of privileges).
| | Observed Examples | | Reference | Description |
|---|
| From http://xforce.iss.net/xforce/xfdb/12848:
man-db is a Unix utility that displays online help files. man-db versions 2.3.12 beta and 2.3.18 to 2.4.1 could allow a local attacker to gain privileges, caused by a vulnerability when the open_cat_stream function is called. If man-db is installed setuid, a local attacker could exploit this vulnerability to gain "man" user privileges. |
| | Relationships | | | Applicable Platforms | All | | Time of Introduction | Architecture and Design Implementation System Configuration |
|