Privilege Chaining| ID: 268 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Base |
Description
Two distinct privileges, roles, capabilities, or rights can be
combined in a way that allows an entity to perform unsafe actions that would not
be allowed without that combination.
Likelihood of Exploit: High
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
- Operation
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Access_Control | Gain privileges / assume
identity | A user can be given or gain access rights of another user. This can
give the user unauthorized access to sensitive information including the
access information of another user. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Architecture and Design | Separation of Privilege | Consider following the principle of separation of privilege. Require
multiple conditions to be met before permitting access to a system
resource. | | |
| Architecture and DesignOperation | | Very carefully manage the setting, management, and handling of
privileges. Explicitly manage trust zones in the software. | | |
| Architecture and DesignOperation | Environment Hardening | Run your code using the lowest privileges that are required to
accomplish the necessary tasks [R.268.1]. If possible, create isolated
accounts with limited privileges that are only used for a single task.
That way, a successful attack will not immediately give the attacker
access to the rest of the software or its environment. For example,
database applications rarely need to run as the database administrator,
especially in day-to-day operations. | | |
RelationshipsThere is some conceptual overlap with Unsafe Privilege.
| Related CWE | Type | View | Chain |
|---|
| CWE-268 ChildOf CWE-901 | Category | CWE-888 | |
Demonstrative Examples (Details)
- This code allows someone with the role of "ADMIN" or "OPERATOR" to
reset a user's password. The role of "OPERATOR" is intended to have less
privileges than an "ADMIN", but still be able to help users with small
issues such as forgotten passwords.
Observed Examples
- CVE-2005-1736 : Chaining of user rights.
- CVE-2002-1772 : Gain certain rights via privilege chaining in alternate channel.
- CVE-2005-1973 : Application is allowed to assign extra permissions to itself.
- CVE-2003-0640 : "operator" user can overwrite usernames and passwords to gain admin privileges.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | Privilege Chaining | |
References:
- Sean Barnum Michael Gegick .Least Privilege. Published on 2005-09-14.
