Presentation is loading. Please wait.

Presentation is loading. Please wait.

CWE-732 Incorrect Permission Assignment for Critical Resource

Published byTucker Lather Modified over 9 years ago

Similar presentations

Presentation on theme: "CWE-732 Incorrect Permission Assignment for Critical Resource"— Presentation transcript:

1 CWE-732 Incorrect Permission Assignment for Critical Resource
Denisa Ivan MSI2

2 CWE-732 was included in the SANS institute Top 25 security bugs list.
CWE-732 is the Common Weakness Enumeration identifier for the class of security bugs a program does not check if a critical file MIGHT have been written to by an untrusted actor.

3 Description The software specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

4 Consequences Scope Effect Confidentiality
Read application data; Read files or directories (credentials, configuration info) Access Control Gain privileges / assume identity (replacing a world-writable executable with a Trojan horse) Integrity Other Modify application data (destroy or corrupt critical data in the associated resource, such as deletion of records from a database.)

5 Relationships with other vulnerabilities

6 Detection Methods

7 Automated Static Analysis
(Configuration Checker) Source Code/Bytecode Manual(human) Analysis Static/Dynamic

8 Black Box Monitoring tools examine the software's process as it interacts with the OS and the network. Useful when source code is unavailable, if the software was developed by someone else, or to verify that the build phase did not introduce any new weaknesses. Analyses permissions issues related to system resources, not application-level business rules that are related to permissions

9 Black Box Examples: debuggers attached to the running process;
system-call tracing utilities: truss (Solaris) and strace (Linux); system activity monitors: FileMon, RegMon, Process Monitor, other Sysinternals utilities (Windows); sniffers and protocol analyzers that monitor network traffic.

10 Attach the monitor to the process and watch for library functions or system calls on OS resources such as files, directories, and shared memory. Examine the arguments to these calls to infer which permissions are being used.

11 Example //Language PHP function createUserDir($username){ $path = '/home/'.$username; if(!mkdir($path)){ // forgot optional ‘mode’ argument -> the directory is created with the default permissions 0777 return false; } return true;

12 Observed Examples

13 CVE Anti-virus product sets insecure "Everyone: Full Control" permissions for files under the "Program Files" folder, allowing attackers to replace executables with Trojan horses. CVE Driver installs a file with world-writable permissions. CVE Security product uses "Everyone: Full Control" permissions for its configuration files. CVE LDAP server stores a cleartext password in a world-readable file. CVE Product uses "Everyone: Full Control" permissions for memory-mapped files (shared memory) in inter-process communication, allowing attackers to tamper with a session. The complete list is available at

14 CVE TrustPort Antivirus before and PC Security before use weak permissions (Everyone: Full Control) for files under %PROGRAMFILES% This allows  local attackers (unprivileged users) to gain privileges by replacing files (including executable files of Trustport services) by malicious files and execute arbitrary code with SYSTEM privileges.

15 Potential Mitigations
Phase: Implementation: check to see if the resource has insecure permissions and report them Phase: Architecture and Design: Divide the software into several administrative areas(like a Security Lattice) and set the permissions accordingly

16 Potential Mitigations(II)
Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. Utils: OS: Unix chroot jail, AppArmor, SELinux java.io.FilePermission (Java SecurityManager)

17 Potential Mitigations(III)
Phase: Operation; System Configuration Ensure that the software runs properly under the Federal Desktop Core Configuration (FDCC) [R.732.4] or an equivalent hardening configuration guide, which many organizations use to limit the attack surface and potential risk of deployed software.

18 Case study Bell–LaPadula model
The Simple Security Property (no read-up). The ★-property (read "star"-property) (no write-down). The Discretionary Security Property - use of an access matrix to specify the discretionary access control.

19 BLP - lattice

20 The End

Download ppt "CWE-732 Incorrect Permission Assignment for Critical Resource"

Similar presentations

The Case for Tripwire® Nick Chodorow Sarah Kronk Jim Moriarty Chris Tartaglia.

The Case for Tripwire® Nick Chodorow Sarah Kronk Jim Moriarty Chris Tartaglia.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Static code check – Klocwork

Static code check – Klocwork
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Towards Application Security On Untrusted OS

Towards Application Security On Untrusted OS
Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.

Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.
1 DOS with Windows 3.1 and 3.11 Operating Environments n Designed to allow applications to have a graphical interface DOS runs in the background as the.

1 DOS with Windows 3.1 and 3.11 Operating Environments n Designed to allow applications to have a graphical interface DOS runs in the background as the.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Performing Software Installation with Group Policy

Performing Software Installation with Group Policy
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Understanding Active Directory

Understanding Active Directory
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Cracking Windows Access Control Andrey Kolishchak www.gentlesecurity.com Hack.lu 2007.

Cracking Windows Access Control Andrey Kolishchak Hack.lu 2007.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

Similar presentations

Ads by Google