SV.SIP.CONST

Use of insecure macro for dangerous function

There are several Microsoft Windows functions that can use dangerous macros as parameters, allowing a malicious user to access the registry or run arbitrary command. CreateService may have the parameter set to SERVICE_INTERACTIVE_PROCESS, which can allow a malicious user to interact with the service and run arbitrary commands in a high privilege mode.

The SV.SIP.CONST checker finds instances in which the CreateService function specifies the SERVICE_INTERACTIVE_PROCESS parameter.

Vulnerability and risk

Use of the SERVICE_INTERACTIVE_PROCESS parameter results in inappropriately loose permissions for the access of resources. This practice can compromise the security of the software by allowing attackers to gain privileges, access sensitive information, and possibly execute commands. Resource access should always use the lowest level of privilege required to get the job done.

Mitigation and prevention

These flagged defects should be reviewed, and the identified parameters replaced with safer macros or code that ensures lower privileges are enforced.

Vulnerable code example

1
2
3
4
5
6
7
8
9
10
11
 SC_HANDLE foo(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPCTSTR lpDisplayName,
               DWORD dwDesiredAccess, DWORD dwStartType, DWORD dwErrorControl, 
               LPCTSTR lpBinaryPathName, LPCTSTR lpLoadOrderGroup, LPDWORD lpdwTagId, 
               LPCTSTR lpDependencies, LPCTSTR lpServiceStartName, LPCTSTR lpPassword)
 {
     return CreateService(hSCManager, lpServiceName, lpDisplayName,
                          dwDesiredAccess, SERVICE_INTERACTIVE_PROCESS,
                          dwStartType, dwErrorControl, 
                          lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, 
                          lpDependencies, lpServiceStartName, lpPassword);
 }

The defect is reported at line 6, indicating that function CreateService is using macro SERVICE_INTERACTIVE_PROCESS as its desired access parameter. Using this loose access permission macro causes a vulnerability in the code that could result in attackers compromising the security of the software. The issue should be reviewed and SERVICE_INTERACTIVE_PROCESS replaced with a safer macro or code that ensures lower privilege use.

Related checkers

• SV.BRM.HKEY_LOCAL_MACHINE
• SV.LPP.CONST
• SV.LPP.VAR
• SV.SIP.CONST
• SV.SIP.VAR
• SV.PIPE.CONST
• SV.PIPE.VAR

External guidance

• CWE-284: Access Control (Authorization) Issues
• STIG-ID:APP3450.1 Access Control
• STIG-ID:APP3480.1 Role-Based Access
• STIG-ID:APP3480.2 Role-Based Access
• STIG-ID:APP3500 Excessive Privileges
• STIG-ID:APP3630.4 Application vulnerable to race conditions

Security training

Application security training materials provided by Secure Code Warrior.

• Missing Functional Level Access Control Training Video - Test your skills with a training example