SV.SIP.VAR
Use of insecure macro for dangerous function
There are several Microsoft Windows functions that can use dangerous macros as parameters, allowing a malicious user to access the registry or run arbitrary command. CreateService may have the parameter set to SERVICE_INTERACTIVE_PROCESS, which can allow a malicious user to interact with the service and run arbitrary commands in a high privilege mode.
The SV.SIP.VAR checker finds instances in which the CreateService function specifies the SERVICE_INTERACTIVE_PROCESS parameter.
Vulnerability and risk
Use of the SERVICE_INTERACTIVE_PROCESS parameter results in inappropriately loose permissions for the access of resources. This practice can compromise the security of the software by allowing attackers to gain privileges, access sensitive information, and possibly execute commands. Resource access should always use the lowest level of privilege required to get the job done.
Mitigation and prevention
These flagged defects should be reviewed, and the identified parameters replaced with safer macros or code that ensures lower privileges are enforced.
Vulnerable code example
SC_HANDLE foo(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPCTSTR lpDisplayName,
DWORD dwDesiredAccess, DWORD dwStartType, DWORD dwErrorControl,
LPCTSTR lpBinaryPathName, LPCTSTR lpLoadOrderGroup, LPDWORD lpdwTagId,
LPCTSTR lpDependencies, LPCTSTR lpServiceStartName, LPCTSTR lpPassword)
{
DWORD dwServiceType = SERVICE_INTERACTIVE_PROCESS;
return CreateService(hSCManager, lpServiceName, lpDisplayName,
dwDesiredAccess, dwServiceType,
dwStartType, dwErrorControl,
lpBinaryPathName, lpLoadOrderGroup, lpdwTagId,
lpDependencies, lpServiceStartName, lpPassword);
}
The defect is reported at line 7, indicating that function CreateService is using macro SERVICE_INTERACTIVE_PROCESS as its desired access parameter. Using this loose access permission macro causes a vulnerability in the code that could result in attackers compromising the security of the software. The issue should be reviewed and SERVICE_INTERACTIVE_PROCESS replaced with a safer macro or code that ensures lower privilege use.
Related checkers
External guidance
- CWE-284: Access Control (Authorization) Issues
- STIG-ID:APP3450.1 Access Control
- STIG-ID:APP3480.1 Role-Based Access
- STIG-ID:APP3480.2 Role-Based Access
- STIG-ID:APP3500 Excessive Privileges
- STIG-ID:APP3630.4 Application vulnerable to race conditions
- Microsoft library: Registry security and access rights
Security training
Application security training materials provided by Secure Code Warrior.