logo

Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')

Draft Base
Structure: Simple
Description

This vulnerability occurs when a parent process launches a child process without first closing sensitive file descriptors. The child process inherits these open handles, potentially gaining unauthorized access to files, sockets, or other resources it shouldn't be able to interact with.

Extended Description

When a system creates a child process through forking or execution, that new process automatically receives copies of all file descriptors currently open in its parent. This inherited access persists even if the child process runs with lower system privileges than its parent. The core risk emerges because the child can perform read or write operations through these inherited descriptors, bypassing normal permission checks that would block direct access to the underlying files or network connections. To prevent this, developers must proactively close sensitive file descriptors before spawning child processes, especially when dropping privileges or executing less-trusted code. This is a common oversight in privilege-separation architectures and can lead to information leaks, data corruption, or escalation of privilege, as the child process operates with unintended access rights handed down from its parent.
Common Consequences 1
Scope: ConfidentialityIntegrity

Impact: Read Application DataModify Application Data
Observed Examples 8
CVE-2003-0740Server leaks a privileged file descriptor, allowing the server to be hijacked.
CVE-2004-1033File descriptor leak allows read of restricted files.
CVE-2000-0094Access to restricted resource using modified file descriptor for stderr.
CVE-2002-0638Open file descriptor used as alternate channel in complex race condition.
CVE-2003-0489Program does not fully drop privileges after creating a file descriptor, which allows access to the descriptor via a separate vulnerability.
CVE-2003-0937User bypasses restrictions by obtaining a file descriptor then calling setuid program, which does not close the descriptor.
CVE-2004-2215Terminal manager does not properly close file descriptors, allowing attackers to access terminals of other users.
CVE-2006-5397Module opens a file for reading twice, allowing attackers to read files.
References 2
File descriptors and setuid applications
Paul Roberts
05-02-2007
https://blogs.oracle.com/paulr/entry/file_descriptors_and_setuid_applications
ID: REF-392
Introduction to Secure Coding Guide
Apple
https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/AccessControl.html(2023-04-07)
ID: REF-393
Applicable Platforms
Languages:
C : UndeterminedNot Language-Specific : Undetermined
Modes of Introduction
Implementation
Alternate Terms

File descriptor leak

While this issue is frequently called a file descriptor leak, the "leak" term is often used in two different ways - exposure of a resource, or consumption of a resource. Use of this term could cause confusion.
Functional Areas
  1. Program Invocation
Affected Resources
  1. System Process
  2. File or Directory
Related Weaknesses
ChildOf: Transmission of Private Resources into a New Sphere ('Resource Leak') (CWE-402)
Taxonomy Mapping
  • PLOVER
  • CERT C Secure Coding
  • Software Fault Patterns