1. Home
  2. CWE Database
  3. CWE-272
Base · Medium

CWE-272: Least Privilege Violation

The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.

CWE-272 · Base Level ·3 Mitigations

Description

The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.

Potential Impact

Access Control, Confidentiality

Gain Privileges or Assume Identity, Read Application Data, Read Files or Directories

Demonstrative Examples

The following example demonstrates the weakness.
Bad
setuid(0);
                     // Do some important stuff
                     setuid(old_uid);
                     // Do some non privileged stuff.
The following example demonstrates the weakness.
Bad
AccessController.doPrivileged(new PrivilegedAction() {
                        public Object run() {
                                 // privileged code goes here, for example:
                                 System.loadLibrary("awt");return null;
                                 // nothing to return
                                 
                           }
The following code calls chroot() to restrict the application to a subset of the filesystem below APP_HOME in order to prevent an attacker from using the program to gain unauthorized access to files located elsewhere. The code then opens a file specified by the user and processes the contents of the file.
Bad
chroot(APP_HOME);chdir("/");FILE* data = fopen(argv[1], "r+");...
Constraining the process inside the application's home directory before opening any files is a valuable security measure. However, the absence of a call to setuid() with some non-zero value means the application is continuing to operate with unnecessary root privileges. Any successful exploit carried out by an attacker against the application can now result in a privilege escalation attack because any malicious operations will be performed with the privileges of the superuser. If the application drops to the privilege level of a non-root user, the potential for damage is substantially reduced.

Mitigations & Prevention

Architecture and DesignOperation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Architecture and Design

Follow the principle of least privilege when assigning access rights to entities in a software system.

Architecture and Design

Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least

Detection Methods

  • Automated Static Analysis - Binary or Bytecode SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Dynamic Analysis with Automated Results Interpretation SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Manual Static Analysis - Source Code High — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Automated Static Analysis - Source Code SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Automated Static Analysis SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Architecture or Design Review High — According to SOAR [REF-1479], the following detection techniques may be useful:

CWE-271: Privilege Dropping / Lowering Errors

The product does not drop privileges before passing control of a resource to an actor that does not have those privilege...

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — Least Privilege Violation
  • CLASP: — Failure to drop privileges when reasonable
  • CERT C Secure Coding: POS02-C — Follow the principle of least privilege
  • The CERT Oracle Secure Coding Standard for Java (2011): SEC00-J — Do not allow privileged blocks to leak sensitive information across a trust boundary
  • The CERT Oracle Secure Coding Standard for Java (2011): SEC01-J — Do not allow tainted variables in privileged blocks
  • Software Fault Patterns: SFP36 — Privilege

Frequently Asked Questions

What is CWE-272?

CWE-272 (Least Privilege Violation) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.

How can CWE-272 be exploited?

Attackers can exploit CWE-272 (Least Privilege Violation) to gain privileges or assume identity, read application data, read files or directories. This weakness is typically introduced during the Implementation, Operation phase of software development.

How do I prevent CWE-272?

Key mitigations include: Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

What is the severity of CWE-272?

CWE-272 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.