Improper Privilege Management

The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.


Demonstrations

The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.

Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.

Example One

This code temporarily raises the program's privileges to allow creation of a new user folder.

def makeNewUserDir(username):

  if invalidUsername(username):


    #avoid CWE-22 and CWE-78
    print('Usernames cannot contain invalid characters')
    return False


  try:
    raisePrivileges()
    os.mkdir('/home/' + username)
    lowerPrivileges()

  except OSError:
    print('Unable to create new user directory for user:' + username)
    return False

  return True

While the program only raises its privilege level to create the folder and immediately lowers it again, if the call to os.mkdir() throws an exception, the call to lowerPrivileges() will not occur. As a result, the program is indefinitely operating in a raised privilege state, possibly allowing further exploitation to occur.

Example Two

The following example demonstrates the weakness.

seteuid(0);
/* do some stuff */

seteuid(getuid());

Example Three

The following example demonstrates the weakness.

AccessController.doPrivileged(new PrivilegedAction() {

  public Object run() {
    // privileged code goes here, for example:
    System.loadLibrary("awt");
    return null;
    // nothing to return

  }

Example Four

This code intends to allow only Administrators to print debug information about a system.

public enum Roles {
  ADMIN,USER,GUEST
}

public void printDebugInfo(User requestingUser){

  if(isAuthenticated(requestingUser)){

    switch(requestingUser.role){

      case GUEST:
        System.out.println("You are not authorized to perform this command");
        break;

      default:
        System.out.println(currentDebugState());
        break;


    }

  }
  else{
    System.out.println("You must be logged in to perform this command");
  }

}

While the intention was to only allow Administrators to print the debug information, the code as written only excludes those with the role of "GUEST". Someone with the role of "ADMIN" or "USER" will be allowed access, which goes against the original intent. An attacker may be able to use this debug information to craft an attack on the system.

Example Five

This code allows someone with the role of "ADMIN" or "OPERATOR" to reset a user's password. The role of "OPERATOR" is intended to have less privileges than an "ADMIN", but still be able to help users with small issues such as forgotten passwords.

public enum Roles {
  ADMIN,OPERATOR,USER,GUEST
}

public void resetPassword(User requestingUser, User user, String password ){

  if(isAuthenticated(requestingUser)){

    switch(requestingUser.role){

      case GUEST:
        System.out.println("You are not authorized to perform this command");
        break;

      case USER:
        System.out.println("You are not authorized to perform this command");
        break;

      default:
        setPassword(user,password);
        break;
      }

    }


  else{
    System.out.println("You must be logged in to perform this command");
  }

}

This code does not check the role of the user whose password is being reset. It is possible for an Operator to gain Admin privileges by resetting the password of an Admin account and taking control of that account.

See Also

ICS Engineering (Construction/Deployment): Trust Model Problems

Weaknesses in this category are related to the "Trust Model Problems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2...

OWASP Top Ten 2021 Category A04:2021 - Insecure Design

Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top Ten 2021.

Authorize Actors

Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have th...

Comprehensive CWE Dictionary

This view (slice) covers all the elements in CWE.

Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses

CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.

Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors

CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.