Unverified Ownership
Draft Base
Structure: Simple
Description
The product does not properly verify that a critical resource is owned by the proper entity.
Common Consequences 1
Scope: Access Control
Impact: Gain Privileges or Assume Identity
An attacker could gain unauthorized access to system resources.
Potential Mitigations 2
Phase: Architecture and DesignOperation
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Phase: Architecture and Design
Strategy: Separation of Privilege
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Demonstrative Examples 1
This function is part of a privileged program that takes input from users with potentially lower privileges.
Code Example:
Bad
Python
pythonThis code does not confirm that the process to be killed is owned by the requesting user, thus allowing an attacker to kill arbitrary processes.
This function remedies the problem by checking the owner of the process before killing it:
Code Example:
Good
Python
python#Check process owner against requesting user* if getProcessOwner(processID) == user: ``` os.kill(processID, signal.SIGKILL) return else: print("You cannot kill a process you don't own") return
Observed Examples 2
CVE-2001-0178Program does not verify the owner of a UNIX socket that is used for sending a password.
CVE-2004-2012Owner of special device not checked, allowing root.
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Related Weaknesses
Taxonomy Mapping
- PLOVER
Notes
RelationshipThis overlaps insufficient comparison, verification errors, permissions, and privileges.