logo

Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')

Draft Base
Structure: Simple
Description

A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.

Extended Description

When a new process is forked or executed, the child process inherits any open file descriptors. When the child process has fewer privileges than the parent process, this might introduce a vulnerability if the child process can access the file descriptor but does not have the privileges to access the associated file.
Common Consequences 1
Scope: ConfidentialityIntegrity

Impact: Read Application DataModify Application Data
Observed Examples 8
CVE-2003-0740Server leaks a privileged file descriptor, allowing the server to be hijacked.
CVE-2004-1033File descriptor leak allows read of restricted files.
CVE-2000-0094Access to restricted resource using modified file descriptor for stderr.
CVE-2002-0638Open file descriptor used as alternate channel in complex race condition.
CVE-2003-0489Program does not fully drop privileges after creating a file descriptor, which allows access to the descriptor via a separate vulnerability.
CVE-2003-0937User bypasses restrictions by obtaining a file descriptor then calling setuid program, which does not close the descriptor.
CVE-2004-2215Terminal manager does not properly close file descriptors, allowing attackers to access terminals of other users.
CVE-2006-5397Module opens a file for reading twice, allowing attackers to read files.
References 2
File descriptors and setuid applications
Paul Roberts
05-02-2007
https://blogs.oracle.com/paulr/entry/file_descriptors_and_setuid_applications
ID: REF-392
Introduction to Secure Coding Guide
Apple
https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/AccessControl.html(2023-04-07)
ID: REF-393
Applicable Platforms
Languages:
C : UndeterminedNot Language-Specific : Undetermined
Modes of Introduction
Implementation
Alternate Terms

File descriptor leak

While this issue is frequently called a file descriptor leak, the "leak" term is often used in two different ways - exposure of a resource, or consumption of a resource. Use of this term could cause confusion.
Functional Areas
  1. Program Invocation
Affected Resources
  1. System Process
  2. File or Directory
Related Weaknesses
ChildOf: Transmission of Private Resources into a New Sphere ('Resource Leak') (CWE-402)
Taxonomy Mapping
  • PLOVER
  • CERT C Secure Coding
  • Software Fault Patterns