CWE-269: Improper Privilege Management

Description

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Example Vulnerable Codes

Example - 1

This code temporarily raises the program's privileges to allow creation of a new user folder.


// #avoid CWE-22 and CWE-78// 
print('Usernames cannot contain invalid characters')return False

raisePrivileges()os.mkdir('/home/' + username)lowerPrivileges()

print('Unable to create new user directory for user:' + username)return False
if invalidUsername(username):try:except OSError:return Truedef makeNewUserDir(username):

While the program only raises its privilege level to create the folder and immediately lowers it again, if the call to os.mkdir() throws an exception, the call to lowerPrivileges() will not occur. As a result, the program is indefinitely operating in a raised privilege state, possibly allowing further exploitation to occur.

Example - 2

The following example demonstrates the weakness.


// /* do some stuff */// 
seteuid(0);seteuid(getuid());

Example - 3

The following example demonstrates the weakness.

// // privileged code goes here, for example:// 
// // nothing to return// 
System.loadLibrary("awt");return null;public Object run() {}AccessController.doPrivileged(new PrivilegedAction() {

Example - 4

This code intends to allow only Administrators to print debug information about a system.

ADMIN,USER,GUEST

System.out.println("You are not authorized to perform this command");break;

System.out.println(currentDebugState());break;case GUEST:default:switch(requestingUser.role){}
System.out.println("You must be logged in to perform this command");if(isAuthenticated(requestingUser)){}else{}public enum Roles {}public void printDebugInfo(User requestingUser){}

While the intention was to only allow Administrators to print the debug information, the code as written only excludes those with the role of "GUEST". Someone with the role of "ADMIN" or "USER" will be allowed access, which goes against the original intent. An attacker may be able to use this debug information to craft an attack on the system.

Example - 5

This code allows someone with the role of "ADMIN" or "OPERATOR" to reset a user's password. The role of "OPERATOR" is intended to have less privileges than an "ADMIN", but still be able to help users with small issues such as forgotten passwords.

ADMIN,OPERATOR,USER,GUEST

System.out.println("You are not authorized to perform this command");break;

System.out.println("You are not authorized to perform this command");break;

setPassword(user,password);break;case GUEST:case USER:default:}switch(requestingUser.role){}
System.out.println("You must be logged in to perform this command");if(isAuthenticated(requestingUser)){else{}public enum Roles {}public void resetPassword(User requestingUser, User user, String password ){}

This code does not check the role of the user whose password is being reset. It is possible for an Operator to gain Admin privileges by resetting the password of an Admin account and taking control of that account.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-250: Execution with Unnecessary Privileges
Go to
CWE-266: Incorrect Privilege Assignment
Go to
CWE-267: Privilege Defined With Unsafe Actions
Go to
CWE-268: Privilege Chaining
Go to
CWE-270: Privilege Context Switching Error
Go to
CWE-271: Privilege Dropping / Lowering Errors
Go to
CWE-274: Improper Handling of Insufficient Privileges
Go to
CWE-284: Improper Access Control
Go to
CWE-648: Incorrect Use of Privileged APIs
Go to

Visit http://cwe.mitre.org/ for more details.