The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
When a resource is given a permission setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. This is especially dangerous when the resource is related to program configuration, execution, or sensitive user data. For example, consider a misconfigured storage account for the cloud that can be read or written by a public or anonymous user.
Threat Mapped score: 3.25
Industry: Finiancial
Threat priority: P2 - Serious (High)
CVE: CVE-2022-29527
Go application for cloud management creates a world-writable sudoers file that allows local attackers to inject sudo rules and escalate privileges to root by winning a race condition.
CVE: CVE-2009-3482
Anti-virus product sets insecure "Everyone: Full Control" permissions for files under the "Program Files" folder, allowing attackers to replace executables with Trojan horses.
CVE: CVE-2009-3897
Product creates directories with 0777 permissions at installation, allowing users to gain privileges and access a socket used for authentication.
CVE: CVE-2009-3489
Photo editor installs a service with an insecure security descriptor, allowing users to stop or start the service, or execute commands as SYSTEM.
CVE: CVE-2020-15708
socket created with insecure permissions
CVE: CVE-2009-3289
Library function copies a file to a new target and uses the source file's permissions for the target, which is incorrect when the source file is a symbolic link, which typically has 0777 permissions.
CVE: CVE-2009-0115
Device driver uses world-writable permissions for a socket file, allowing attackers to inject arbitrary commands.
CVE: CVE-2009-1073
LDAP server stores a cleartext password in a world-readable file.
CVE: CVE-2009-0141
Terminal emulator creates TTY devices with world-writable permissions, allowing an attacker to write to the terminals of other users.
CVE: CVE-2008-0662
VPN product stores user credentials in a registry key with "Everyone: Full Control" permissions, allowing attackers to steal the credentials.
CVE: CVE-2008-0322
Driver installs its device interface with "Everyone: Write" permissions.
CVE: CVE-2009-3939
Driver installs a file with world-writable permissions.
CVE: CVE-2009-3611
Product changes permissions to 0777 before deleting a backup; the permissions stay insecure for subsequent backups.
CVE: CVE-2007-6033
Product creates a share with "Everyone: Full Control" permissions, allowing arbitrary program execution.
CVE: CVE-2007-5544
Product uses "Everyone: Full Control" permissions for memory-mapped files (shared memory) in inter-process communication, allowing attackers to tamper with a session.
CVE: CVE-2005-4868
Database product uses read/write permissions for everyone for its shared memory, allowing theft of credentials.
CVE: CVE-2004-1714
Security product uses "Everyone: Full Control" permissions for its configuration files.
CVE: CVE-2001-0006
"Everyone: Full Control" permissions assigned to a mutex allows users to disable network connectivity.
CVE: CVE-2002-0969
Chain: database product contains buffer overflow that is only reachable through a .ini configuration file - which has "Everyone: Full Control" permissions.
| Phase | Note |
|---|---|
| Architecture and Design | N/A |
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. The developer might make certain assumptions about the environment in which the product operates - e.g., that the software is running on a single-user system, or the software is only accessible to trusted administrators. When the software is running in a different environment, the permissions become a problem. |
| Installation | The developer may set loose permissions in order to minimize problems when the user first runs the program, then create documentation stating that permissions should be tightened. Since system administrators and users do not always read the documentation, this can result in insecure permissions being left unchanged. |
| Operation | N/A |
Intro: The following code sets the umask of the process to 0 before creating a file and writing "Hello world" into the file.
Body: After running this program on a UNIX system, running the "ls -l" command might return the following output:
#define OUTFILE "hello.out" umask(0); FILE *out; /* Ignore link following (CWE-59) for brevity */ out = fopen(OUTFILE, "w"); if (out) { fprintf(out, "hello world!\n"); fclose(out); }Intro: This code creates a home directory for a new user, and makes that user the owner of the directory. If the new directory cannot be owned by the user, the directory is deleted.
Body: Because the optional "mode" argument is omitted from the call to mkdir(), the directory is created with the default permissions 0777. Simply setting the new user as the owner of the directory does not explicitly change the permissions of the directory, leaving it with the default. This default allows any user to read and write to the directory, allowing an attack on the user's files. The code also fails to change the owner group of the directory, which may result in access by unexpected groups.
function createUserDir($username){ $path = '/home/'.$username; if(!mkdir($path)){ return false; } if(!chown($path,$username)){ rmdir($path); return false; } return true; }Intro: The following code snippet might be used as a monitor to periodically record whether a web site is alive. To ensure that the file can always be modified, the code uses chmod() to make the file world-writable.
Body: The first time the program runs, it might create a new file that inherits the permissions from its environment. A file listing might look like:
$fileName = "secretFile.out"; if (-e $fileName) { chmod 0777, $fileName; } my $outFH; if (! open($outFH, ">>$fileName")) { ExitError("Couldn't append to $fileName: $!"); } my $dateString = FormatCurrentTime(); my $status = IsHostAlive("cwe.mitre.org"); print $outFH "$dateString cwe status: $status!\n"; close($outFH);Intro: This program creates and reads from an admin file to determine privilege information.
Body: If the admin file doesn't exist, the program will create one. In order to create the file, the program must have write privileges to write to the file. After the file is created, the permissions need to be changed to read only.
const adminFile = "/etc/admin-users" func createAdminFileIfNotExists() error { file, err := os.Create(adminFile) if err != nil { return err } return nil } func changeModeOfAdminFile() error { fileMode := os.FileMode(0440) if err := os.Chmod(adminFile, fileMode); err != nil { return err } return nil }Intro: The following command recursively sets world-readable permissions for a directory and all of its children:
Body: If this command is run from a program, the person calling the program might not expect that all the files under the directory will be world-readable. If the directory is expected to contain private data, this could become a security problem.
chmod -R ugo+r DIRNAMEIntro: The following Azure command updates the settings for a storage account:
Body: However, "Allow Blob Public Access" is set to true, meaning that anonymous/public users can access blobs.
az storage account update --name <storage-account> --resource-group <resource-group> --allow-blob-public-access trueIntro: The following Google Cloud Storage command gets the settings for a storage account named 'BUCKET_NAME':
Body: Suppose the command returns the following result:
gsutil iam get gs://BUCKET_NAME