Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (3.0)  

CWE-782: Exposed IOCTL with Insufficient Access Control

Weakness ID: 782
Abstraction: Variant
Structure: Simple
Status: Draft
Presentation Filter:
+ Description
The software implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL.
+ Extended Description

When an IOCTL contains privileged functionality and is exposed unnecessarily, attackers may be able to access this functionality by invoking the IOCTL. Even if the functionality is benign, if the programmer has assumed that the IOCTL would only be accessed by a trusted process, there may be little or no validation of the incoming data, exposing weaknesses that would never be reachable if the attacker cannot call the IOCTL directly.

The implementations of IOCTLs will differ between operating system types and versions, so the methods of attack and prevention may vary widely.

+ Relationships

The table(s) below shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.

+ Relevant to the view "Research Concepts" (CWE-1000)
+ Relevant to the view "Architectural Concepts" (CWE-1008)
MemberOfCategoryCategory1011Authorize Actors
+ Relevant to the view "Development Concepts" (CWE-699)
ChildOfClassClass284Improper Access Control
ChildOfBaseBase749Exposed Dangerous Method or Function
+ Modes Of Introduction

The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the software life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.

Architecture and Design
ImplementationREALIZATION: This weakness is caused during implementation of an architectural security tactic.
+ Applicable Platforms
The listings below show possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.


C (Often Prevalent)

C++ (Often Prevalent)

Operating Systems

Class: Unix (Undetermined Prevalence)

Class: Windows (Undetermined Prevalence)

+ Common Consequences

The table below specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.


Technical Impact:

Attackers can invoke any functionality that the IOCTL offers. Depending on the functionality, the consequences may include code execution, denial-of-service, and theft of data.
+ Observed Examples
Operating system does not enforce permissions on an IOCTL that can be used to modify network settings.
Device driver does not restrict ioctl calls to its master.
ioctl does not check for a required capability before processing certain requests.
Chain: insecure device permissions allows access to an IOCTL, allowing arbitrary memory to be overwritten.
Chain: anti-virus product uses weak permissions for a device, leading to resultant buffer overflow in an exposed IOCTL.
Chain: sandbox allows opening of a TTY device, enabling shell commands through an exposed ioctl.
Anti-virus product uses insecure security descriptor for a device driver, allowing access to a privileged IOCTL.
Unauthorized user can disable keyboard or mouse by directly invoking a privileged IOCTL.
+ Potential Mitigations

Phase: Architecture and Design

In Windows environments, use proper access control for the associated device or device namespace. See References.
+ Notes

Applicable Platform

Because IOCTL functionality is typically performing low-level actions and closely interacts with the operating system, this weakness may only appear in code that is written in low-level languages.


This can be primary to many other weaknesses when the programmer assumes that the IOCTL can only be accessed by trusted parties. For example, a program or driver might not validate incoming addresses in METHOD_NEITHER IOCTLs in Windows environments (CWE-781), which could allow buffer overflow and similar attacks to take place, even when the attacker never should have been able to access the IOCTL at all.
+ References
[REF-701] Microsoft. "Securing Device Objects". <>.
+ Content History
Submission DateSubmitterOrganization
2009-07-15CWE Content TeamMITRE
Modification DateModifierOrganization
2009-12-28CWE Content TeamMITRE
updated Time_of_Introduction
2017-11-08CWE Content TeamMITRE
updated Likelihood_of_Exploit, Modes_of_Introduction, Relationships

More information is available — Please select a different filter.
Page Last Updated: January 18, 2018