centos 6
misc weakness #11

5

Weakness Breakdown


Definition:

The software specifies permissions for a security-critical resource in a way that allows the resource to be read or modified by unintended actors.

Warning code(s):

Never create NULL ACLs; an attacker can set it to Everyone.

File Name:

ntp-4.2.6p5/ntpd/refclock_shm.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 6 misc weakness.

 	if (shmid==-1) { /*error */
		msyslog(LOG_ERR,"SHM shmget (unit %d): %s",unit,strerror(errno));
		return 0;
	}
	else { /* no error  */
		struct shmTime *p=(struct shmTime *)shmat (shmid, 0, 0);
		if ((int)(long)p==-1) { /* error */
			msyslog(LOG_ERR,"SHM shmat (unit %d): %s",unit,strerror(errno));
			return 0;
		}
		return p;
	}
#else
	char buf[10];
	LPSECURITY_ATTRIBUTES psec=0;
	HANDLE shmid=0;
	SECURITY_DESCRIPTOR sd;
	SECURITY_ATTRIBUTES sa;
	snprintf(buf, sizeof(buf), "NTP%d", unit);
	if (unit >= 2) { /* world access */
		if (!InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION)) {
			msyslog(LOG_ERR,"SHM InitializeSecurityDescriptor (unit %d): %m",unit);
			return 0;
		}
		if (!SetSecurityDescriptorDacl(&sd,1,0,0)) {
			msyslog(LOG_ERR,"SHM SetSecurityDescriptorDacl (unit %d): %m",unit);
			return 0;
		}
		sa.nLength=sizeof (SECURITY_ATTRIBUTES);
		sa.lpSecurityDescriptor=&sd;
		sa.bInheritHandle=0;
		psec=&sa;
	}
	shmid=CreateFileMapping ((HANDLE)0xffffffff, psec, PAGE_READWRITE,
				 0, sizeof (struct shmTime),buf);
	if (!shmid) { /*error*/
		char buf[1000];
		FormatMessage (FORMAT_MESSAGE_FROM_SYSTEM,
			       0, GetLastError (), 0, buf, sizeof (buf), 0);
		msyslog(LOG_ERR,"SHM CreateFileMapping (unit %d): %s",unit,buf);
		return 0;
	}
	else {
		struct shmTime *p=(struct shmTime *) MapViewOfFile (shmid, 
								    FILE_MAP_WRITE, 0, 0, sizeof (struct shmTime));
		if (p==0) { /*error*/
			char buf[1000];
			FormatMessage (FORMAT_MESSAGE_FROM_SYSTEM,
				       0, GetLastError (), 0, buf, sizeof (buf), 0);
			msyslog(LOG_ERR,"SHM MapViewOfFile (unit %d): %s",unit,buf); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.