centos 6
access weakness #20

4

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

If this call fails, the program could fail to drop heightened privileges.

File Name:

mvapich-1.2rc1/psm/mpid/nt_server/RemoteShell/RemoteShellServer/RemoteShell.cpp

Context:

The highlighted line of code below is the trigger point of this particular Centos 6 access weakness.

 
	hr = CoImpersonateClient();
	if (FAILED(hr))
		LogMsg(TEXT("GetPortFromFile:CoImpersonateClient failed - reading temp file with process token"));
	//if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &hImpersonatedToken))
	if (!OpenThreadToken(GetCurrentThread(), MAXIMUM_ALLOWED, TRUE, &hImpersonatedToken))
	{
		*nError = GetLastError();
		Translate_Error(*nError, error_msg, L"GetPortFromFile:OpenThreadToken failed: ");
		SysReAllocString(bErrorMsg, error_msg);
		LogWMsg(L"GetPortFromFile:OpenThreadToken failed: %d, %s\n", *nError, error_msg);
		return S_OK;
	}
	CoRevertToSelf();
	//if (!DuplicateTokenEx(hImpersonatedToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hUser))
	if (!DuplicateTokenEx(hImpersonatedToken, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &hUser))
	{
		*nError = GetLastError();
		Translate_Error(*nError, error_msg, L"GetPortFromFile:DuplicateTokenEx failed: ");
		SysReAllocString(bErrorMsg, error_msg);
		LogWMsg(L"GetPortFromFile:DuplicateTokenEx failed: %d, %s\n", *nError, error_msg);
		return S_OK;
	}

	if (ImpersonateLoggedOnUser(hUser))
	{
		HANDLE hFile = CreateFileW(bFileName, GENERIC_READ, FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
		if (hFile == INVALID_HANDLE_VALUE)
		{
			*nError = GetLastError();
			Translate_Error(*nError, error_msg, L"GetPortFromFile:CreateFile failed ");
			LogWMsg(error_msg);
			LogWMsg(bFileName);
			SysReAllocString(bErrorMsg, error_msg);
			return S_OK;
		}
		
		DWORD num_read = 0;
		TCHAR pBuffer[100] = _T("");
		LPTSTR pChar = pBuffer;
		clock_t cStart = clock();
		while (true)
		{
			num_read = 0;
			if (!ReadFile(hFile, pChar, 100, &num_read, NULL))
			{
				*nError = GetLastError();
				Translate_Error(*nError, error_msg, L"GetPortFromFile:ReadFile failed ");
				LogWMsg(error_msg);
				SysReAllocString(bErrorMsg, error_msg); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.