centos 6
access weakness #30

4

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

If this call fails, the program could fail to drop heightened privileges.

File Name:

mvapich-1.2rc1/psm/mpid/nt_server/RemoteShell/RemoteShellServer/RemoteShell.cpp

Context:

The highlighted line of code below is the trigger point of this particular Centos 6 access weakness.

 		//if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &hImpersonatedToken))
		if (!OpenThreadToken(GetCurrentThread(), MAXIMUM_ALLOWED, TRUE, &hImpersonatedToken))
		{
			*nError = GetLastError();
			Translate_Error(*nError, error_msg, L"LaunchProcess:OpenThreadToken failed: ");
			SysReAllocString(bErrorMsg, error_msg);
			LogWMsg(L"LaunchProcess:OpenThreadToken failed: %d, %s\n", *nError, error_msg);
			goto RESTORE_CLEANUP;
		}
		CoRevertToSelf();
		//if (!DuplicateTokenEx(hImpersonatedToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hUser))
		if (!DuplicateTokenEx(hImpersonatedToken, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &hUser))
		{
			*nError = GetLastError();
			Translate_Error(*nError, error_msg, L"LaunchProcess:DuplicateTokenEx failed: ");
			SysReAllocString(bErrorMsg, error_msg);
			LogWMsg(L"LaunchProcess:DuplicateTokenEx failed: %d, %s\n", *nError, error_msg);
			goto RESTORE_CLEANUP;
		}
	}

	// Create the process

	//LogMsg(TEXT("impersonating user\n"));
	if (ImpersonateLoggedOnUser(hUser))
	{
		// Attempt to change into the directory passed into the function
		GetCurrentDirectory(MAX_PATH, tSavedPath);
		if (!SetCurrentDirectoryW(bDir))
		{
			int terror = GetLastError();
			char terror_msg[256];
			Translate_Error(terror, terror_msg, "LaunchProcess:SetCurrentDirectory failed ");
			LogMsg(terror_msg);
		}

		//LogMsg(TEXT("LaunchInteractiveProcess: about to launch %s.\n"), tCmdLine);
		if (CreateProcessAsUser(
			hUser,
			NULL,
			tCmdLine,
			NULL, NULL, TRUE,
			//DETACHED_PROCESS | IDLE_PRIORITY_CLASS, 
			//CREATE_NO_WINDOW | IDLE_PRIORITY_CLASS,
			CREATE_NO_WINDOW | IDLE_PRIORITY_CLASS | CREATE_NEW_PROCESS_GROUP,
			//DETACHED_PROCESS | IDLE_PRIORITY_CLASS | CREATE_NEW_PROCESS_GROUP,
			//CREATE_NO_WINDOW | IDLE_PRIORITY_CLASS | CREATE_SUSPENDED, 
			pEnv,
			NULL,
			&saInfo, &psInfo)) 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.