alpine 3.6
access weakness #37

4

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

If this call fails, the program could fail to drop heightened privileges.

File Name:

wine/src/wine-2.0.1/include/rpcdce.h

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

                             RPC_CSTR *ServerPrincName, ULONG *AuthnLevel, ULONG *AuthnSvc,
                            ULONG *AuthzSvc );

RPCRTAPI RPC_STATUS RPC_ENTRY
  RpcBindingInqAuthClientW( RPC_BINDING_HANDLE ClientBinding, RPC_AUTHZ_HANDLE *Privs,
                            RPC_WSTR *ServerPrincName, ULONG *AuthnLevel, ULONG *AuthnSvc,
                            ULONG *AuthzSvc );
#define RpcBindingInqAuthClient WINELIB_NAME_AW(RpcBindingInqAuthClient)

RPCRTAPI RPC_STATUS RPC_ENTRY
  RpcBindingInqAuthClientExA( RPC_BINDING_HANDLE ClientBinding, RPC_AUTHZ_HANDLE *Privs,
                              RPC_CSTR *ServerPrincName, ULONG *AuthnLevel, ULONG *AuthnSvc,
                              ULONG *AuthzSvc, ULONG Flags );

RPCRTAPI RPC_STATUS RPC_ENTRY
  RpcBindingInqAuthClientExW( RPC_BINDING_HANDLE ClientBinding, RPC_AUTHZ_HANDLE *Privs,
                              RPC_WSTR *ServerPrincName, ULONG *AuthnLevel, ULONG *AuthnSvc,
                              ULONG *AuthzSvc, ULONG Flags );
#define RpcBindingInqAuthClientEx WINELIB_NAME_AW(RpcBindingInqAuthClientEx)

RPCRTAPI RPC_STATUS RPC_ENTRY RpcCancelThread(void*);
RPCRTAPI RPC_STATUS RPC_ENTRY RpcCancelThreadEx(void*,LONG);

RPCRTAPI RPC_STATUS RPC_ENTRY
  RpcImpersonateClient( RPC_BINDING_HANDLE Binding );

RPCRTAPI RPC_STATUS RPC_ENTRY
  RpcNetworkIsProtseqValidA( RPC_CSTR protseq );
RPCRTAPI RPC_STATUS RPC_ENTRY
  RpcNetworkIsProtseqValidW( RPC_WSTR protseq );
#define RpcNetworkIsProtseqValid WINELIB_NAME_AW(RpcNetworkIsProtseqValid)

RPCRTAPI RPC_STATUS RPC_ENTRY
  RpcNetworkInqProtseqsA( RPC_PROTSEQ_VECTORA** protseqs );
RPCRTAPI RPC_STATUS RPC_ENTRY
  RpcNetworkInqProtseqsW( RPC_PROTSEQ_VECTORW** protseqs );
#define RpcNetworkInqProtseqs WINELIB_NAME_AW(RpcNetworkInqProtseqs)

RPCRTAPI RPC_STATUS RPC_ENTRY
  RpcProtseqVectorFreeA( RPC_PROTSEQ_VECTORA** protseqs );
RPCRTAPI RPC_STATUS RPC_ENTRY
  RpcProtseqVectorFreeW( RPC_PROTSEQ_VECTORW** protseqs );
#define RpcProtseqVectorFree WINELIB_NAME_AW(RpcProtseqVectorFree)

RPCRTAPI RPC_STATUS RPC_ENTRY
  RpcRevertToSelf( void );
RPCRTAPI RPC_STATUS RPC_ENTRY
  RpcRevertToSelfEx( RPC_BINDING_HANDLE Binding );

RPCRTAPI RPC_STATUS RPC_ENTRY 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.