SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 11

changes.mady.by.user David Svoboda

Saved on

compared with

New Version Current

changes.mady.by.user Francesco Mariani

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

An application may spawn another process as part of its normal course of action.   On Windows, the newly-spawned process automatically receives the same privileges as the parent process [MSDN].   By allowing the child process to run in the same security context as the parent process, the attack surface for the application is extended to the child process.   Furthermore, this example allows the child process to inherit handles from the parent process by passing TRUE to the bInheritsHandles parameter.

...

It is possible that the act of calling launch_notepad() will give the user an elevated Notepad application (from which the user could execute Explorer.exe), allowing them the user access to all user's files, change system settings, etcand so on.

Compliant Solution

By using the Windows Integrity Mechanism [MSDN] when creating the process, you can assign an integrity level to the launched child process.   This Doing so allows you to execute the child process with a specific set of privileges instead of defaulting to the parent process's security level.

Code Block
bgColor#ccccff
langc
#include <Windows.h>
#include <sddl.h>
 
static void launch_notepad_as_user(HANDLE token) {
  PROCESS_INFORMATION pi;
  STARTUPINFO si;
 
  ZeroMemory(&si, sizeof(si));
  si.cb = sizeof( si );
  if (CreateProcessAsUser(token, TEXT("C:\\Windows\\Notepad.exe"), NULL, NULL,
                          NULL, FALSE, 0, NULL, NULL, &si, &pi )) {
    /* Process has been created; work with the process and wait for it to
       terminate. */
    WaitForSingleObject(pi.hProcess, INFINITE);
    CloseHandle(pi.hThread);
    CloseHandle(pi.hProcess);
  }
}
 
static BOOL adjust_token_integrity_level(HANDLE token, const char *sid) {
  /* Convert the string SID to a SID *, then adjust the token's
     privileges. */
  BOOL ret;
  PSID psd = NULL;
  if (ConvertStringSidToSidA(sid, &psd)) {
    TOKEN_MANDATORY_LABEL tml;
    
    ZeroMemory(&tml, sizeof(tml));
    tml.Label.Attributes = SE_GROUP_INTEGRITY;
    tml.Label.Sid = psd;
 
    ret = SetTokenInformation(token, TokenIntegrityLevel, &tml,
                              sizeof(tml) + GetLengthSid(psd));
    
    LocalFree(psd);
  }
  return ret;
}
 
void launch_notepad(void) {
  /* Low level; see table for integrity level string names */
  const char *requested_sid = "S-1-16-4096";
  HANDLE token_cur, token_dup;
  /* Get the current process' security token as a starting point, then modify
     a duplicate so that it runs with a fixed integrity level. */
  if (OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE |
                                            TOKEN_ADJUST_DEFAULT |
                                            TOKEN_QUERY |
                                            TOKEN_ASSIGN_PRIMARY,
                                            &token_cur)) {
    if (DuplicateTokenEx(token_cur, 0, NULL, SecurityImpersonation,
                         TokenPrimary, &token_dup)) {
      if (adjust_token_integrity_level(token_dup, requested_sid))
        launch_notepad_as_user(token_dup);
      CloseHandle(token_dup);
    }
    CloseHandle(token_cur);
  }
}

The compliant example solution demonstrates how to launch Notepadnotepad.exe using a low integrity level, regardless of what privilege level the parent process is running from.   It also disallows handle inheritance by passing FALSE to the bInheritsHandles parameter, since because notepad.exe does not require access to any of the process's handles.

Possible values for the integrity level SID strings are listed in the following table:

Integrity level SIDName

S-1-16-4096

Mandatory Label\Low Mandatory Level

S-1-16-8192

Mandatory Label\Medium Mandatory Level

S-1-16-12288

Mandatory Label\High Mandatory Level

S-1-16-16384

Mandatory Label\System Mandatory Level

Risk Assessment

Failure to follow the principle of least privilege may allow exploits to execute with elevated privileges.

Recommendation

Severity

Likelihood

Detectable

Remediation Cost

Repairable

Priority

Level

WIN02-C

high

likely

high

P9

L2

High

Likely

Yes

No

P18

L1

Automated Detection

Tool

Version

Checker

Description

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

BADFUNC.CREATEPROCESS

Use of CreateProcess

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

586

Fully supported

Security Reviewer - Static Reviewer

Include Page
Security Reviewer - Static Reviewer_V
Security Reviewer - Static Reviewer_V

UNSAFE_05

Fully implemented

Related Guidelines

ISO/IEC TR 24772Adherence to Least Privilege [XYN]
MITRE CWECWE-250, Execution with unnecessary privileges
CWE-272, Least privilege violation

Bibliography

[Saltzer 1974]
 

[Saltzer 1975]
 

[DHS 2006]Least Privilege

 


...

Image Removed Image Removed Image RemovedImage AddedImage AddedImage Added