alpine 3.6
access weakness #17

4

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

If this call fails, the program could fail to drop heightened privileges.

File Name:

krb5/src/krb5-1.14.3/src/ccapi/common/win/OldCC/secure.cxx

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

  * It is OK for OpenThreadToken to return an error -- that just means impersonation
 * is off.
 */
SecureClient::SecureClient():
    m_Error(0),
    m_hToken(0),
    m_NeedRestore(false) {

    HANDLE hThread = GetCurrentThread();
    HANDLE hThDuplicate;
    
    int status  = DuplicateHandle(  GetCurrentProcess(),
                                    hThread,
                                    GetCurrentProcess(),
                                    &hThDuplicate,
                                    TOKEN_ALL_ACCESS,
                                    FALSE,
                                    0);
    if (!status) return;

    if (!OpenThreadToken(hThDuplicate, TOKEN_ALL_ACCESS, FALSE, &m_hToken)) {
        m_Error = GetLastError();
        return;
        }
    if (SetThreadToken(&hThDuplicate, NULL)) {
        m_NeedRestore = true;
    } else {
        m_Error = GetLastError();
        }
    CloseHandle(hThDuplicate);
    }

SecureClient::~SecureClient() {
    if (m_NeedRestore) {
        HANDLE hThread = GetCurrentThread();
        if (!SetThreadToken(&hThread, m_hToken)) {
            m_Error = cci_check_error(GetLastError());
            }
        }
    if (m_hToken) {
        if (!CloseHandle(m_hToken)) {
            m_Error = cci_check_error(GetLastError());
            }
        }
    }

DWORD SecureClient::Error() {
    return m_Error;
    } 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.