1. Home
  2. CWE Database
  3. CWE-250
Base · Medium

CWE-250: Execution with Unnecessary Privileges

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

CWE-250 · Base Level ·9 CVEs ·7 Mitigations

Description

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

Potential Impact

Confidentiality, Integrity, Availability, Access Control

Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands, Read Application Data, DoS: Crash, Exit, or Restart

Demonstrative Examples

This code temporarily raises the program's privileges to allow creation of a new user folder.
Bad
def makeNewUserDir(username):
                        if invalidUsername(username):
                              
                                 
                                 #avoid CWE-22 and CWE-78
                                 print('Usernames cannot contain invalid characters')return False
                           
                           try:raisePrivileges()os.mkdir('/home/' + username)lowerPrivileges()
                           except OSError:print('Unable to create new user directory for user:' + username)return False
                           return True
While the program only raises its privilege level to create the folder and immediately lowers it again, if the call to os.mkdir() throws an exception, the call to lowerPrivileges() will not occur. As a result, the program is indefinitely operating in a raised privilege state, possibly allowing further exploitation to occur.
The following code calls chroot() to restrict the application to a subset of the filesystem below APP_HOME in order to prevent an attacker from using the program to gain unauthorized access to files located elsewhere. The code then opens a file specified by the user and processes the contents of the file.
Bad
chroot(APP_HOME);chdir("/");FILE* data = fopen(argv[1], "r+");...
Constraining the process inside the application's home directory before opening any files is a valuable security measure. However, the absence of a call to setuid() with some non-zero value means the application is continuing to operate with unnecessary root privileges. Any successful exploit carried out by an attacker against the application can now result in a privilege escalation attack because any malicious operations will be performed with the privileges of the superuser. If the application drops to the privilege level of a non-root user, the potential for damage is substantially reduced.
This application intends to use a user's location to determine the timezone the user is in:
Bad
locationClient = new LocationClient(this, this, this);locationClient.connect();Location userCurrLocation;userCurrLocation = locationClient.getLastLocation();setTimeZone(userCurrLocation);
This is unnecessary use of the location API, as this information is already available using the Android Time API. Always be sure there is not another way to obtain needed information before resorting to using the location API.
This code uses location to determine the user's current US State location.
First the application must declare that it requires the ACCESS_FINE_LOCATION permission in the application's manifest.xml:
Bad
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
During execution, a call to getLastLocation() will return a location based on the application's location permissions. In this case the application has permission for the most accurate location possible:
Bad
locationClient = new LocationClient(this, this, this);locationClient.connect();Location userCurrLocation;userCurrLocation = locationClient.getLastLocation();deriveStateFromCoords(userCurrLocation);
While the application needs this information, it does not need to use the ACCESS_FINE_LOCATION permission, as the ACCESS_COARSE_LOCATION permission will be sufficient to identify which US state the user is in.

Mitigations & Prevention

Architecture and DesignOperation

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Architecture and Design

Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondar

Architecture and Design

Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondar

Implementation

Perform extensive input validation for any privileged code that must be exposed to the user and reject anything that does not fit your strict requirements.

Implementation

When dropping privileges, ensure that they have been dropped successfully to avoid CWE-273. As protection mechanisms in the environment get stronger, privilege-dropping calls may fail even if it seems like they would always succeed.

Implementation

If circumstances force you to run with extra privileges, then determine the minimum access level necessary. First identify the different permissions that the software and its users will need to perform their actions, such as file read and write permissions, network socket permissions, and so forth. Then explicitly allow those actions while denying all else [REF-76]. Perform extensive input validation and canonicalization to minimize the chances of introducing a separate vulnerability. This mitig

OperationSystem Configuration

Ensure that the software runs properly under the United States Government Configuration Baseline (USGCB) [REF-199] or an equivalent hardening configuration guide, which many organizations use to limit the attack surface and potential risk of deployed software.

Detection Methods

  • Manual Analysis — This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.
  • Black Box — Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new wea
  • Automated Static Analysis - Binary or Bytecode High — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Manual Static Analysis - Binary or Bytecode SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Dynamic Analysis with Automated Results Interpretation SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Dynamic Analysis with Manual Results Interpretation SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:

Real-World CVE Examples

CVE IDDescription
CVE-2007-4217FTP client program on a certain OS runs with setuid privileges and has a buffer overflow. Most clients do not need extra privileges, so an overflow is not a vulnerability for those clients.
CVE-2008-1877Program runs with privileges and calls another program with the same privileges, which allows read of arbitrary files.
CVE-2007-5159OS incorrectly installs a program with setuid privileges, allowing users to gain privileges.
CVE-2008-4638Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209).
CVE-2008-0162Program does not drop privileges before calling another program, allowing code execution.
CVE-2008-0368setuid root program allows creation of arbitrary files through command line argument.
CVE-2007-3931Installation script installs some programs as setuid when they shouldn't be.
CVE-2020-3812mail program runs as root but does not drop its privileges before attempting to access a file. Attacker can use a symlink from their home directory to a directory only readable by root, then determine
CVE-2003-0908Product launches Help functionality while running with raised privileges, allowing command execution using Windows message to access "open file" dialog.

CWE-269: Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of ...

CWE-657: Violation of Secure Design Principles

The product violates well-established principles for secure design.

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — Often Misused: Privilege Management
  • The CERT Oracle Secure Coding Standard for Java (2011): SER09-J — Minimize privileges before deserializing from a privilege context
  • ISA/IEC 62443: Part 2-4 — Req SP.03.05 BR
  • ISA/IEC 62443: Part 2-4 — Req SP.03.08 BR
  • ISA/IEC 62443: Part 2-4 — Req SP.03.08 RE(1)
  • ISA/IEC 62443: Part 2-4 — Req SP.05.07 BR
  • ISA/IEC 62443: Part 2-4 — Req SP.09.02 RE(4)
  • ISA/IEC 62443: Part 2-4 — Req SP.09.03 BR
  • ISA/IEC 62443: Part 2-4 — Req SP.09.04 BR
  • ISA/IEC 62443: Part 3-3 — Req SR 1.1
  • ISA/IEC 62443: Part 3-3 — Req SR 1.2
  • ISA/IEC 62443: Part 3-3 — Req SR 2.1
  • ISA/IEC 62443: Part 3-3 — Req SR 2.1 RE 1
  • ISA/IEC 62443: Part 4-1 — Req SD-4
  • ISA/IEC 62443: Part 4-2 — Req CCSC 3
  • ISA/IEC 62443: Part 4-2 — Req CR 1.1

Frequently Asked Questions

What is CWE-250?

CWE-250 (Execution with Unnecessary Privileges) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

How can CWE-250 be exploited?

Attackers can exploit CWE-250 (Execution with Unnecessary Privileges) to gain privileges or assume identity, execute unauthorized code or commands, read application data, dos: crash, exit, or restart. This weakness is typically introduced during the Implementation, Installation, Architecture and Design, Architecture and Design, Operation phase of software development.

How do I prevent CWE-250?

Key mitigations include: Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single ta

What is the severity of CWE-250?

CWE-250 is classified as a Base-level weakness (Medium abstraction). It has been observed in 9 real-world CVEs.