centos 6
access weakness #5

4

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

If this call fails, the program could fail to drop heightened privileges.

File Name:

mpich2-1.2.1/src/pm/smpd/smpd_state_machine.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 6 access weakness.

 		smpd_exit_fn(FCNAME);
		return (result == SMPD_SUCCESS) ? SMPD_SUCCESS : SMPD_FAIL;
	    }

	    smpd_exit_fn(FCNAME);
	    return (result == SMPD_SUCCESS) ? SMPD_SUCCESS : SMPD_FAIL;
	}
	context->read_state = SMPD_READING_SSPI_JOB_KEY;
	result = SMPDU_Sock_post_read(context->sock, context->sspi_job_key, SMPD_SSPI_JOB_KEY_LENGTH, SMPD_SSPI_JOB_KEY_LENGTH, NULL);
	if (result != SMPD_SUCCESS)
	{
	    smpd_err_printf("unable to post a read of the sspi job key,\nsock error: %s\n", get_sock_error_string(result));
	    context->state = SMPD_CLOSING;
	    result = SMPDU_Sock_post_close(context->sock);
	    smpd_exit_fn(FCNAME);
	    return (result == SMPD_SUCCESS) ? SMPD_SUCCESS : SMPD_FAIL;
	}
	smpd_exit_fn(FCNAME);
	return SMPD_SUCCESS;
    }

    if (context->target == SMPD_TARGET_SMPD && (strcmp(context->sspi_header, "no") == 0))
    {
	context->sspi_type = SMPD_SSPI_IMPERSONATE;
	sec_result = smpd_process.sec_fn->ImpersonateSecurityContext(&context->sspi_context->context);
	/* revert must be called before any smpd_dbg_printfs will work */
	smpd_get_user_name(context->account, context->domain, context->full_domain);

	if (sec_result == SEC_E_OK)
	{
	    /* verify local admin */
	    BOOL b = FALSE;
	    int error;
	    SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
	    PSID AdministratorsGroup;
	    context->access = SMPD_ACCESS_NONE;
	    result_str = SMPD_FAIL_STR;
	    if (AllocateAndInitializeSid(
		&NtAuthority,
		2,
		SECURITY_BUILTIN_DOMAIN_RID,
		DOMAIN_ALIAS_RID_ADMINS,
		0, 0, 0, 0, 0, 0,
		&AdministratorsGroup))
	    {
		if (CheckTokenMembership(NULL, AdministratorsGroup, &b)) 
		{
		    smpd_process.sec_fn->RevertSecurityContext(&context->sspi_context->context);
		    if (b)
		    { 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.