logo

Incorrect Use of Privileged APIs

Incomplete Base
Structure: Simple
Description

This vulnerability occurs when software incorrectly uses functions that require special permissions. Attackers can exploit these mistakes to gain unauthorized access, elevate their privileges, or steal sensitive data.

Extended Description

Functions that require elevated privileges (privileged APIs) demand careful handling. As a developer, you must validate all arguments, understand the API's internal security assumptions, and only call it from a secure, controlled context. Failing to meet the API's specific requirements creates an opening for attackers to hijack the process or its permissions. Privileged functions often maintain their high-level access after execution or make critical assumptions about the data you provide. You must thoroughly review the API's behavior—knowing when and how to call it—to ensure its power cannot be misdirected. Always account for known weaknesses in the API's own design to prevent your correct usage from being bypassed.
Common Consequences 3
Scope: Access Control

Impact: Gain Privileges or Assume Identity

An attacker may be able to elevate privileges.

Scope: Confidentiality

Impact: Read Application Data

An attacker may be able to obtain sensitive information.

Scope: IntegrityConfidentialityAvailability

Impact: Execute Unauthorized Code or Commands

An attacker may be able to execute code.
Potential Mitigations 6
Phase: Implementation
Before calling privileged APIs, always ensure that the assumptions made by the privileged code hold true prior to making the call.
Phase: Architecture and Design
Know architecture and implementation weaknesses of the privileged APIs and make sure to account for these weaknesses before calling the privileged APIs to ensure that they can be called safely.
Phase: Implementation
If privileged APIs make certain assumptions about data, context or state validity that are passed by the caller, the calling code must ensure that these assumptions have been validated prior to making the call.
Phase: Implementation
If privileged APIs do not shed their privilege prior to returning to the calling code, then calling code needs to shed these privileges immediately and safely right after the call to the privileged APIs. In particular, the calling code needs to ensure that a privileged thread of execution will never be returned to the user or made available to user-controlled processes.
Phase: Implementation
Only call privileged APIs from safe, consistent and expected state.
Phase: Implementation
Ensure that a failure or an error will not leave a system in a state where privileges are not properly shed and privilege escalation is possible (i.e. fail securely with regards to handling of privileges).
Observed Examples 1
CVE-2003-0645A Unix utility that displays online help files, if installed setuid, could allow a local attacker to gain privileges when a particular file-opening function is called.
Likelihood of Exploit

Low

Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Operation
Related Attack Patterns
Related Weaknesses
ChildOf: Improper Privilege Management (CWE-269)