centos 6
access weakness #15

4

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

If this call fails, the program could fail to drop heightened privileges.

File Name:

mvapich-1.2rc1/non-psm/mpid/nt_server/RemoteShell/RemoteShellServer/RemoteShell.cpp

Context:

The highlighted line of code below is the trigger point of this particular Centos 6 access weakness.

 	else
	{
		*nError = GetLastError();
		Translate_Error(*nError, error_msg, L"CreateTempFile:ImpersonateLoggedOnUser failed ");
		SysReAllocString(bErrorMsg, error_msg);
		LogWMsg(L"CreateTempFile: ImpersonateLoggedOnUser failed: %d, %s\n", *nError, error_msg);
	}
	CloseHandle(hUser);
	return S_OK;
}

// Function name	: CRemoteShell::GetPortFromFile
// Description	    : 
// Return type		: STDMETHODIMP 
// Argument         : BSTR bFileName
// Argument         : long *nPort
// Argument         : long *nError
// Argument         : BSTR *bErrorMsg
STDMETHODIMP CRemoteShell::GetPortFromFile(BSTR bFileName, long *nPort, long *nError, BSTR *bErrorMsg)
{
	WCHAR error_msg[256];
	HRESULT hr;
	HANDLE hImpersonatedToken, hUser;

	hr = CoImpersonateClient();
	if (FAILED(hr))
		LogMsg(TEXT("GetPortFromFile:CoImpersonateClient failed - reading temp file with process token"));
	//if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &hImpersonatedToken))
	if (!OpenThreadToken(GetCurrentThread(), MAXIMUM_ALLOWED, TRUE, &hImpersonatedToken))
	{
		*nError = GetLastError();
		Translate_Error(*nError, error_msg, L"GetPortFromFile:OpenThreadToken failed: ");
		SysReAllocString(bErrorMsg, error_msg);
		LogWMsg(L"GetPortFromFile:OpenThreadToken failed: %d, %s\n", *nError, error_msg);
		return S_OK;
	}
	CoRevertToSelf();
	//if (!DuplicateTokenEx(hImpersonatedToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hUser))
	if (!DuplicateTokenEx(hImpersonatedToken, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &hUser))
	{
		*nError = GetLastError();
		Translate_Error(*nError, error_msg, L"GetPortFromFile:DuplicateTokenEx failed: ");
		SysReAllocString(bErrorMsg, error_msg);
		LogWMsg(L"GetPortFromFile:DuplicateTokenEx failed: %d, %s\n", *nError, error_msg);
		return S_OK;
	}

	if (ImpersonateLoggedOnUser(hUser))
	{
		HANDLE hFile = CreateFileW(bFileName, GENERIC_READ, FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.