SV.LPP.VAR

Use of insecure parameter in variable for dangerous function

There are several Microsoft Windows functions that can use dangerous macros as parameters, allowing a malicious user to access the registry or run arbitrary commands. RegCreateKeyEx, SHRegCreateUSKey, or RegOpenKeyEx may have their desired-access parameter set to KEY_ALL_ACCESS, which can allow a malicious user to modify attributes in the registry. If the key contains a reference to a DLL, modifying such a reference can permit the running of arbitrary commands.

The SV.LPP.VAR checker finds instances in which the RegCreateKeyEx, SHRegCreateUSKey, or RegOpenKeyEx access parameter is a variable that could be set to KEY_ALL_ACCESS.

Vulnerability and risk

Use of all-access macros results in inappropriately loose permissions for the access of resources. This practice can compromise the security of the software by allowing attackers to gain privileges, access sensitive information, and possibly execute commands. Resource access should always use the lowest level of privilege required to get the job done.

Mitigation and prevention

These flagged defects should be reviewed, and the identified parameters replaced with safer macros or code that ensures lower privileges are enforced.

Vulnerable code example 1

Copy
    LONG foo(LPCTSTR lpSubKey, DWORD ulOptions, PHKEY phkResult) {
        REGSAM samDesired = KEY_ALL_ACCESS;
        return RegOpenKeyEx(HKEY_USERS, lpSubKey, ulOptions, samDesired, phkResult);
    }

Klocwork produces an issue report at line 3, indicating that function RegOpenKeyEx is using macro KEY_ALL_ACCESS as its desired access parameter. Using this loose access permission macro causes a vulnerability in the code that could result in attackers compromising the security of the software. The issue should be reviewed and any variable that could be set to KEY_ALL_ACCESS replaced with a safer macro or code that ensures lower privilege use.

Security training

Application security training materials provided by Secure Code Warrior.