CWE-271¶

Privilege Dropping / Lowering Errors. [Improper-Access-Control]

Required inputs: IR

The product does not drop privileges before passing control of a resource to an actor that does not have those privileges. In some contexts, a system executing with elevated permissions will hand off a process/file/etc. to another process or user. If the privileges of an entity are not reduced, then elevated privileges are spread throughout a system and possibly to an attacker.

Demonstrative Examples

Example 1

The following code calls chroot() to restrict the application to a subset of the filesystem below APP_HOME in order to prevent an attacker from using the program to gain unauthorized access to files located elsewhere. The code then opens a file specified by the user and processes the contents of the file.

Example Language:C
    chroot(APP_HOME);
    chdir("/");
    FILE* data = fopen(argv[1], "r+");
    ...

Constraining the process inside the application's home directory before opening any files is a valuable security measure. However, the absence of a call to setuid() with some non-zero value means the application is continuing to operate with unnecessary root privileges. Any successful exploit carried out by an attacker against the application can now result in a privilege escalation attack because any malicious operations will be performed with the privileges of the superuser. If the application drops to the privilege level of a non-root user, the potential for damage is substantially reduced.

Possible Messages

Key	Text	Severity	Disabled
check_privilege_drop	setuid(getuid()) call must be followed by a setuid(0) != -1 check.	None	False
chroot_without_setuid	The chroot() call should be followed by a setuid() call to drop privileges.	None	False
discarded_return_with_entity	Return value of function discarded.	None	False
setuid_zero	Setuid should not be called with 0 as argument, as this grants root privileges.	None	False
unhandled_return_value	Return value of function call not properly checked.	None	False

Options¶

This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity
The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

allow_assignment_to_globals¶

allow_assignment_to_globals : bool = False

Whether assignment to global / static variables should be allowed. If set to false, an error will be reported if the returned value is assigned to a global variable and any call is performed before checking the return (i.e., some other routine could access the return value before checking it).

allow_assignment_to_variables_with_pointers¶

allow_assignment_to_variables_with_pointers : bool = True

Whether assignment to variables of which the address has been taken somewhere should be allowed. If set to false, an error will be reported if the return value is assigned to such a variable, to ensure that the return value is checked locally, before any access from outside is possible.

allowed_functions¶

allowed_functions : set[bauhaus.analysis.config.FunctionName] = {'memcpy', 'memmove', 'memset', 'strcat', 'strcpy', 'strncat', 'strncpy'}

Calls to these functions are ignored.

check_operators¶

check_operators : bool = False

Also check operator calls. Unused return values of assignment operators are only reported if given in function style syntax.

functions¶

functions

Type: dict[bauhaus.analysis.config.QualifiedName, bauhaus.ir.common.algorithms.matchers.Matcher]

Default:
{
   'ImpersonateNamedPipeClient': <bauhaus.rules.axivion.expressions.calls.unhandled_return_value.BinaryRelationAnyMatcher object at 0x7f6f1b83a0b0>
}

Allows to declare function names for which a check must exist. The check is expressed as an IR pattern.

known_check_functions¶

known_check_functions : set[bauhaus.analysis.config.FunctionName] = set()

Collection of functions which are known to test return values of functions under test.

report_references¶

report_references : bool = False

Report returned references. For operators, unused returned references are only reported if given in function style syntax.

Axivion Suite 7.12.0

Navigation