Null ACL in SetSecurityDescriptorDacl may allow all access

ID

c.access_control.incorrect_use_of_setsecuritydescriptordacl

Severity

high

Resource

Access Control

Language

C / C++

Description

When SetSecurityDescriptorDacl is called with a null pDacl parameter and bDaclPresent flag is TRUE, all access to the object is allowed. An attacker could set the object to Deny all, including Administrator users. Either set bDaclPresent to FALSE, or supply a valid non-null pDacl parameter.

Rationale

When SetSecurityDescriptorDacl is called with a null pDacl parameter and bDaclPresent flag is TRUE, all access to the object is allowed. An attacker could set the object to Deny all, including Administrator users. Either set bDaclPresent to FALSE, or supply a valid non-null pDacl parameter.

The following code illustrates a vulnerable pattern detected by this rule:

void test_vulnerable() {
  SECURITY_DESCRIPTOR sd;

  // VULNERABLE: Null ACL in SetSecurityDescriptorDacl may allow all access
  SetSecurityDescriptorDacl(&sd, TRUE, NULL, FALSE);

  // VULNERABLE: Null ACL in SetSecurityDescriptorDacl may allow all access
  SetSecurityDescriptorDacl(&sd, 1, NULL, FALSE);

  // VULNERABLE: Null ACL in SetSecurityDescriptorDacl may allow all access
  SetSecurityDescriptorDacl(&sd, true, nullptr, FALSE);

  // VULNERABLE: Null ACL in SetSecurityDescriptorDacl may allow all access
  SetSecurityDescriptorDacl(&sd, TRUE, 0, FALSE);

  // VULNERABLE: Null ACL in SetSecurityDescriptorDacl may allow all access
  SetSecurityDescriptorDacl(&sd, 1, 0, FALSE);
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References