centos 6
access weakness #12

4

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

If this call fails, the program could fail to drop heightened privileges.

File Name:

mvapich-1.2rc1/non-psm/mpid/nt_server/RemoteShell/RemoteShellServer/RemoteShell.cpp

Context:

The highlighted line of code below is the trigger point of this particular Centos 6 access weakness.

 			MPICHKEY,
			0, KEY_READ, &hKey) != ERROR_SUCCESS)
	{
		*nError = GetLastError();
		Translate_Error(*nError, error_msg, L"CreateTempFile:RegOpenKeyEx failed: ");
		SysReAllocString(bErrorMsg, error_msg);
		LogWMsg(L"CreateTempFile:RegOpenKeyEx failed: %d, %s\n", *nError, error_msg);
		return S_OK;
	}

	// Read the temp directory
	DWORD type, num_bytes = MAX_PATH*sizeof(WCHAR);
	WCHAR wDir[MAX_PATH];
	if (RegQueryValueExW(hKey, L"Temp", 0, &type, (BYTE *)wDir, &num_bytes) != ERROR_SUCCESS)
	{
		RegCloseKey(hKey);
		*nError = GetLastError();
		Translate_Error(*nError, error_msg, L"CreateTempFile:RegQueryValueExW failed: ");
		SysReAllocString(bErrorMsg, error_msg);
		LogWMsg(L"CreateTempFile:RegQueryValueExW failed: %d, %s\n", *nError, error_msg);
		return S_OK;
	}
	RegCloseKey(hKey);

	if (ImpersonateLoggedOnUser(hUser))
	{
		if (GetTempFileNameW(wDir, L"mpi", 0, wTemp) == 0)
		{
			*nError = GetLastError();
			Translate_Error(*nError, wTemp, L"CreateTempFile:GetTempFileName failed ");
			LogWMsg(wTemp);
			SysReAllocString(bErrorMsg, wTemp);
			return S_OK;
		}
		
		WCHAR wFullTemp[MAX_PATH], *namepart;
		GetFullPathNameW(wTemp, MAX_PATH, wFullTemp, &namepart);
	
		RevertToSelf();

		SysReAllocString(bFileName, wFullTemp);

	}
	else
	{
		*nError = GetLastError();
		Translate_Error(*nError, error_msg, L"CreateTempFile:ImpersonateLoggedOnUser failed ");
		SysReAllocString(bErrorMsg, error_msg);
		LogWMsg(L"CreateTempFile: ImpersonateLoggedOnUser failed: %d, %s\n", *nError, error_msg);
	} 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.