centos 6
access weakness #35

4

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

If this call fails, the program could fail to drop heightened privileges.

File Name:

mvapich-1.2rc1/psm/mpid/nt_server/RemoteShell/RemoteShellServer/RemoteShell.cpp

Context:

The highlighted line of code below is the trigger point of this particular Centos 6 access weakness.

 #ifdef UNICODE
		wcscpy(tPassword, bPassword);
#else
		wcstombs(tPassword, bPassword, wcslen(bPassword)+1);
#endif
		if (!LogonUser(
			tAccount,
			psztDomain, 
			tPassword,
			LOGON32_LOGON_INTERACTIVE, 
			LOGON32_PROVIDER_DEFAULT, 
			&hUser))
		{
			*nError = GetLastError();
			Translate_Error(*nError, error_msg, L"LaunchProcess:LogonUser failed ");
			SysReAllocString(bErrorMsg, error_msg);
			LogWMsg(L"LaunchProcess: LogonUser failed: %d, %s\n", *nError, error_msg);
			goto RESTORE_CLEANUP;
		}

	}
	else
	{
		// No account was passed in so impersonate the client to get a user token
		hr = CoImpersonateClient();
		if (FAILED(hr))
			LogMsg(TEXT("LaunchProcess:CoImpersonateClient failed - launching process with process token"));
		//if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &hImpersonatedToken))
		if (!OpenThreadToken(GetCurrentThread(), MAXIMUM_ALLOWED, TRUE, &hImpersonatedToken))
		{
			*nError = GetLastError();
			Translate_Error(*nError, error_msg, L"LaunchProcess:OpenThreadToken failed: ");
			SysReAllocString(bErrorMsg, error_msg);
			LogWMsg(L"LaunchProcess:OpenThreadToken failed: %d, %s\n", *nError, error_msg);
			goto RESTORE_CLEANUP;
		}
		CoRevertToSelf();
		//if (!DuplicateTokenEx(hImpersonatedToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hUser))
		if (!DuplicateTokenEx(hImpersonatedToken, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &hUser))
		{
			*nError = GetLastError();
			Translate_Error(*nError, error_msg, L"LaunchProcess:DuplicateTokenEx failed: ");
			SysReAllocString(bErrorMsg, error_msg);
			LogWMsg(L"LaunchProcess:DuplicateTokenEx failed: %d, %s\n", *nError, error_msg);
			goto RESTORE_CLEANUP;
		}
	}

	// Create the process
 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.