CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in touch

Get our research, blog and event invitations before everybody else!

Your data will stay confidential Private and Confidential

Incorrect Default Permissions [CWE-276]

This weakness describes a case where software sets insecure permissions to objects on a system.

Created: October 31, 2012
Latest Update: August 6, 2015

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Exploitation Examples
  6. Severity and CVSS Scoring
  7. Mitigations
  8. References
  9. Latest Related Security Advisories

1. Description

This weakness describes a case where software sets unintended permissions to directories, files or other objects during installation process. As a result, a malicious user might be able to bypass intended security restrictions.

Most modern operating systems support access control lists (ACL) that are used to distinguish access rights for different users and groups. In modern operating systems a principal (e.g. process or threat acting on behalf of a user) acts upon objects. Access to these objects (e.g. files, directories, registry keys, etc.) is crucial for security mechanisms implemented in different operating systems and can influence system behavior depending on permissions imposed upon key components of the operating system.

1.1 Linux- / UNIX-based systems

General permissions
Access permissions in Linux and UNIX-like systems are based on three user classes (user, group, and others) and three access modes (read, write, and execute).

Ownership rights for each directory and file are set by the chown(1) and chgrp(1) commands and are based on user and group identifiers.

The following table demonstrates differences between access modes for directories and files:

DirectoryAllows to view directory contents (e.g. with "ls" command)Allows to delete and add new filesAllows to access files in the directory
FileAllows to view the fileAllows to write to the fileAllow to execute the file

Setuid/setgid bit
Setuid and setgid bits are access flags used to run applications with permissions of the executable's owner or group respectively. Setuid/setgid bits are usually set for applications that need elevated privileges on the system, e.g. the ping command must send and listen for control packets on a network interface and thus needs elevated privileges, since regular user is not allowed to do so.

In our case the /bin/ping executable is owned by root. This means that having write-access to this executable might allow execution of arbitrary code on the system with root privileges. That's why it is very important to keep track of these files.

1.2 Windows-based systems

Support of access control lists starts with the NT family of Microsoft products and its NTFS file system. Before that only file attributes were used to distinguish access rights. All modern versions of Windows implement access control lists for directories, files, and registry keys. Proper system security depends on correct access rights.

Windows-based operating systems are equipped with graphical user interface (GUI) and command line utility to manage access rights. The GUI is accessible via Windows Explorer:

GUI to manage access rights is accessible via Windows Explorer

The "icacls" command line utility and its previous versions, such as "cacls" or "xcacls", can also be used to view and modify access rights for users and groups. The following command displays permissions for the "C:\" drive:
C:\Users\Administrator>icacls C:
C: PC01\Administrator:(F)

Successfully processed 1 files; Failed processing 0 files

Access rights to registry keys are managed by the regedit.exe utility. Since Windows-based operating systems depend on system registry, having insecure permissions on keys and hives might weaken system security and allow an attacker to gain unauthorized control over the system.

2. Potential impact

Usually this weakness is locally exploitable. A malicious user might be able to gain access to sensitive information, tamper with sensitive data or compromise the vulnerable system entirely. If a setuid/setgid executable has world writable permissions any local user can inject malicious content into it and execute arbitrary code with privileges of the file's owner.

Basically, any application writable by an unintended actor poses a threat to system security and might be used to elevate privileges on the system, e.g. if such application was modified by a malicious and unprivileged user before being executed by a privileged one.

3. Attack patterns

The following CAPEC patterns correspond to this weakness:

Incorrect permissions vulnerability is described in WASC Threat Classification as a weakness under WASC-17 (Improper Filesystem Permissions).

4. Affected software

Software that changes access rights to objects during installation is potentially vulnerable to this weakness.

5. Exploitation Examples

We will use the HTB23123 security advisory (CVE-2012-5697) as an example of this weakness. The vulnerability is introduced by the "btinstall" installation script that sets world-writable permissions for all files within the "/frameworkgui/" directory.

Let's login into the system under unprivileged guest account. To view files permissions we will execute the "ls –la" command, as demonstrated on the image below:

HTB23123 advisory (CVE-2012-5697) CWE-276 PoC exploitation example

Now we will try to read the "config" file and then modify the script:

HTB23123 advisory (CVE-2012-5697) CWE-276 PoC exploitation example

As a result of this vulnerability any local user has full access to files within the "/frameworkgui/" directory.

6. Severity and CVSS Scoring

Insecure default permissions are usually applied to locally installed applications, that's why the primary access vector is local system.

Information disclosure

In case of potential information disclosure (e.g. software configuration, credentials, etc.) this weakness should be scored as:
2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N) - Low severity.

Data tampering

This weakness could be used to tamper with potentially sensitive information such as log files. If data can be modified or deleted, it should be scored as:
3.6 (AV:L/AC:L/Au:N/C:N/I:P/A:P) - Low severity.

System access

If an attacker can modify a setuid binary or any other file that can be executed by another user or service on the system, privilege escalation is possible. In this case this weakness should be scored as:
7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) - High severity.

We use CVSSv2 scoring system in our HTB Security Advisories to calculate the risk of the discovered vulnerabilities. Not all of the vulnerabilities are scored in strict accordance to FIRST recommendations. Our CVSSv2 scores are based on our long internal experience in software auditing and penetration testing, taking into consideration a lot of practical nuances and details. Therefore, sometimes they may differ from those ones that are recommended by FIRST.

7. Mitigations

Handling access rights is tricky, especially when software vendors are not doing it properly.

Linux- / UNIX-based systems
  • Manage carefully user and group ownership for files and folders. Never let unintended groups access restricted information. Use /bin/ls command to view effective permissions for directories and files. Use chown and chgrp commands to set appropriate ownership rights.

  • Avoid 777 permissions on files and folders, unless absolutely necessary, that all local users have read, write, and execute permissions to these files. Use chmod command to set appropriate permissions.

  • Keep track of setuid / setgit executables.
    The following command lists all setuid and setgid files on the system:
    # find / -type f -perm /6000
    To list all setuid and setgid files that are world writable execute the following command:
    # find . -type f -perm /6000 -a -perm -0002
    If the above command lists files, this means a great threat for system security. It is recommended to change permissions for the listed files and perform full system audit. The system might be already compromised.

Windows-based systems
  • Keep track of permissions installed by software for directories, files, and registry keys during installation.

  • Never let applications set world writable permissions to executable files, especially within the system PATH environment variable or any other default search path, e.g. Windows, Windows/system32 directories, etc.

  • Keep track of permissions for registry keys that are used to automatically launch applications during system startup, e.g. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, etc.

8. References

  1. CWE-276: Incorrect Default Permissions []
  2. Understanding Windows File And Registry Permissions []
  3. File Access Permissions []
  4. Configuring Unix / Linux File and Directory Access Rights []
  5. Filesystem permissions []
  6. Linux Files and File Permission []

9. Latest HTB Security Advisories with CWE-276

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to High-Tech Bridge is given.

↑ Back to Top
High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email