centos 6
access weakness #4

4

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

If this call fails, the program could fail to drop heightened privileges.

File Name:

mpich2-1.2.1/src/pm/smpd/smpd_state_machine.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 6 access weakness.

     int result;
    char err_msg[256];
    const char *result_str = SMPD_SUCCESS_STR;
    SECURITY_STATUS sec_result;
    HANDLE user_handle;
    BOOL duplicate_result;

    smpd_enter_fn(FCNAME);
    if (event_ptr->error != SMPD_SUCCESS)
    {
	smpd_process.sec_fn->DeleteSecurityContext(&context->sspi_context->context);
	smpd_process.sec_fn->FreeCredentialsHandle(&context->sspi_context->credential);
	smpd_err_printf("unable to read the delegate request result, %s.\n", get_sock_error_string(event_ptr->error));
	context->state = SMPD_CLOSING;
	result = SMPDU_Sock_post_close(context->sock);
	smpd_exit_fn(FCNAME);
	return (result == SMPD_SUCCESS) ? SMPD_SUCCESS : SMPD_FAIL;
    }
    smpd_dbg_printf("delegate request result: '%s'\n", context->sspi_header);

    if (context->sspi_type == SMPD_SSPI_IDENTIFY || (strcmp(context->sspi_header, "identify") == 0))
    {
	context->sspi_type = SMPD_SSPI_IDENTIFY;
	smpd_dbg_printf("calling ImpersonateSecurityContext\n");
	sec_result = smpd_process.sec_fn->ImpersonateSecurityContext(&context->sspi_context->context);
	/* revert must be called before any smpd_dbg_printfs will work */
	smpd_get_user_name(context->account, context->domain, context->full_domain);
	if (sec_result == SEC_E_OK)
	{
	    smpd_process.sec_fn->RevertSecurityContext(&context->sspi_context->context);
	    smpd_dbg_printf("impersonated user: '%s'\n", context->account);
	}
	else
	{
	    smpd_err_printf("ImpersonateSecurityContext failed: %d\n", sec_result);
	}

	if (strcmp(context->sspi_header, "key") != 0)
	{
	    /* Error: identify must be coupled with an sspi job key */
	    context->read_state = SMPD_IDLE;
	    context->write_state = SMPD_WRITING_IMPERSONATE_RESULT;
	    MPIU_Strncpy(context->sspi_header, SMPD_FAIL_STR, SMPD_SSPI_HEADER_LENGTH);
	    result = SMPDU_Sock_post_write(context->sock, context->sspi_header, SMPD_SSPI_HEADER_LENGTH, SMPD_SSPI_HEADER_LENGTH, NULL);
	    if (result != SMPD_SUCCESS)
	    {
		smpd_err_printf("unable to post a write of the impersonate result,\nsock error: %s\n", get_sock_error_string(result));
		context->state = SMPD_CLOSING;
		result = SMPDU_Sock_post_close(context->sock);
		smpd_exit_fn(FCNAME); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.