centos 7
access weakness #1

4

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

If this call fails, the program could fail to drop heightened privileges.

File Name:

apr-1.4.8/threadproc/win32/proc.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 7 access weakness.

             }

            si.hStdError = GetStdHandle(STD_ERROR_HANDLE);
            if (attr->child_err && attr->child_err->filehand)
            {
                if (GetHandleInformation(si.hStdError,
                                         &stderr_reset)
                        && (stderr_reset &= HANDLE_FLAG_INHERIT))
                    SetHandleInformation(si.hStdError,
                                         HANDLE_FLAG_INHERIT, 0);

                if ( (si.hStdError = attr->child_err->filehand) 
                                   != INVALID_HANDLE_VALUE )
                    SetHandleInformation(si.hStdError, HANDLE_FLAG_INHERIT,
                                                       HANDLE_FLAG_INHERIT);
            }
        }
        if (attr->user_token) {
            /* XXX: for terminal services, handles can't be cannot be
             * inherited across sessions.  This process must be created 
             * in our existing session.  lpDesktop assignment appears
             * to be wrong according to these rules.
             */
            si.lpDesktop = L"Winsta0\\Default";
            if (!ImpersonateLoggedOnUser(attr->user_token)) {
            /* failed to impersonate the logged user */
                rv = apr_get_os_error();
                CloseHandle(attr->user_token);
                attr->user_token = NULL;
                return rv;
            }
            rv = CreateProcessAsUserW(attr->user_token,
                                      wprg, wcmd,
                                      attr->sa,
                                      NULL,
                                      TRUE,
                                      dwCreationFlags,
                                      pEnvBlock,
                                      wcwd,
                                      &si, &pi);

            RevertToSelf();
        }
        else {
            rv = CreateProcessW(wprg, wcmd,        /* Executable & Command line */
                                NULL, NULL,        /* Proc & thread security attributes */
                                TRUE,              /* Inherit handles */
                                dwCreationFlags,   /* Creation flags */
                                pEnvBlock,         /* Environment block */
                                wcwd,              /* Current directory name */ 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.