Merge pull request github#3002 from theopolis/cpp-linux-drop-privileges-outoforder

CPP: Add query for CWE-273 that detects out-of-order setuid

Author: rdmarsh2

cpp/ql/src/experimental/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.c

@@ -0,0 +1,138 @@
+#include <stdlib.h>
+#include <sys/param.h>
+#include <unistd.h>
+#include <pwd.h>
+
+void callSetuidAndCheck(int uid) {
+    if (setuid(uid) != 0) {
+        exit(1);
+    }
+}
+
+void callSetgidAndCheck(int gid) {
+    if (setgid(gid) != 0) {
+        exit(1);
+    }
+}
+
+/// Correct ways to drop priv.
+
+void correctDropPrivInline() {
+    if (setgroups(0, NULL)) {
+        exit(1);
+    }
+
+    if (setgid(-2) != 0) {
+        exit(1);
+    }
+
+    if (setuid(-2) != 0) {
+        exit(1);
+    }
+}
+
+void correctDropPrivInScope() {
+    {
+        if (setgroups(0, NULL)) {
+            exit(1);
+        }
+    }
+
+    {
+        if (setgid(-2) != 0) {
+            exit(1);
+        }
+    }
+
+    {
+        if (setuid(-2) != 0) {
+            exit(1);
+        }
+    }
+}
+
+void correctOrderForInitgroups() {
+    struct passwd *pw = getpwuid(0);
+    if (pw) {
+        if (initgroups(pw->pw_name, -2)) {
+            exit(1);
+        }
+    } else {
+        // Unhandled.
+    }
+    int rc = setuid(-2);
+    if (rc) {
+        exit(1);
+    }
+}
+
+void correctDropPrivInScopeParent() {
+    {
+        callSetgidAndCheck(-2);
+    }
+    correctOrderForInitgroups();
+}
+
+void incorrectNoReturnCodeCheck() {
+    int user = -2;
+    if (user) {
+        if (user) {
+            int rc = setgid(user);
+            (void)rc;
+            initgroups("nobody", user);
+        }
+        if (user) {
+            setuid(user);
+        }
+    }
+}
+
+void correctDropPrivInFunctionCall() {
+    if (setgroups(0, NULL)) {
+        exit(1);
+    }
+
+    callSetgidAndCheck(-2);
+    callSetuidAndCheck(-2);
+}
+
+/// Incorrect, out of order gid and uid.
+/// Calling uid before gid will fail.
+
+void incorrectDropPrivOutOfOrderInline() {
+    if (setuid(-2) != 0) {
+        exit(1);
+    }
+
+    if (setgid(-2) != 0) {
+        exit(1);
+    }
+}
+
+void incorrectDropPrivOutOfOrderInScope() {
+    {
+        if (setuid(-2) != 0) {
+            exit(1);
+        }
+    }
+
+    setgid(-2);
+}
+
+void incorrectDropPrivOutOfOrderWithFunction() {
+    callSetuidAndCheck(-2);
+
+    if (setgid(-2) != 0) {
+        exit(1);
+    }
+}
+
+void incorrectDropPrivOutOfOrderWithFunction2() {
+    callSetuidAndCheck(-2);
+    callSetgidAndCheck(-2);
+}
+
+void incorrectDropPrivNoCheck() {
+    setgid(-2);
+    setuid(-2);
+}

cpp/ql/src/experimental/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.qhelp

@@ -0,0 +1,35 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The code attempts to drop privilege in an incorrect order by
+erroneous dropping user privilege before groups. This has security
+impact if the return codes are not checked.</p>
+
+<p>False positives include code performing negative checks, making
+sure that setgid or setgroups does not work, meaning permissions are
+dropped. Additionally, other forms of sandboxing may be present removing
+any residual risk, for example a dedicated user namespace.</p>
+
+</overview>
+<recommendation>
+
+<p>Set the new group ID, then set the target user's intended groups by
+dropping previous supplemental source groups and initializing target
+groups, and finally set the target user.</p>
+
+</recommendation>
+<example>
+<p>The following example demonstrates out of order calls.</p>
+<sample src="PrivilegeDroppingOutoforder.c" />
+
+</example>
+<references>
+
+<li>CERT C Coding Standard:
+<a href="https://wiki.sei.cmu.edu/confluence/display/c/POS37-C.+Ensure+that+privilege+relinquishment+is+successful">POS37-C. Ensure that privilege relinquishment is successful</a>.
+</li>
+
+</references>
+</qhelp>

cpp/ql/src/experimental/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.ql

@@ -0,0 +1,101 @@
+/**
+ * @name LinuxPrivilegeDroppingOutoforder
+ * @description A syscall commonly associated with privilege dropping is being called out of order.
+ *                Normally a process drops group ID and sets supplimental groups for the target user
+ *                before setting the target user ID. This can have security impact if the return code
+ *                from these methods is not checked.
+ * @kind problem
+ * @problem.severity recommendation
+ * @id cpp/drop-linux-privileges-outoforder
+ * @tags security
+ *       external/cwe/cwe-273
+ * @precision medium
+ */
+
+import cpp
+
+predicate argumentMayBeRoot(Expr e) {
+  e.getValue() = "0" or
+  e.(VariableAccess).getTarget().getName().toLowerCase().matches("%root%")
+}
+
+class SetuidLikeFunctionCall extends FunctionCall {
+  SetuidLikeFunctionCall() {
+    (getTarget().hasGlobalName("setuid") or getTarget().hasGlobalName("setresuid")) and
+    // setuid/setresuid with the root user are false positives.
+    not argumentMayBeRoot(getArgument(0))
+  }
+}
+
+class SetuidLikeWrapperCall extends FunctionCall {
+  SetuidLikeFunctionCall baseCall;
+
+  SetuidLikeWrapperCall() {
+    this = baseCall
+    or
+    exists(SetuidLikeWrapperCall fc |
+      this.getTarget() = fc.getEnclosingFunction() and
+      baseCall = fc.getBaseCall()
+    )
+  }
+
+  SetuidLikeFunctionCall getBaseCall() { result = baseCall }
+}
+
+class CallBeforeSetuidFunctionCall extends FunctionCall {
+  CallBeforeSetuidFunctionCall() {
+    (
+      getTarget().hasGlobalName("setgid") or
+      getTarget().hasGlobalName("setresgid") or
+      // Compatibility may require skipping initgroups and setgroups return checks.
+      // A stricter best practice is to check the result and errnor for EPERM.
+      getTarget().hasGlobalName("initgroups") or
+      getTarget().hasGlobalName("setgroups")
+    ) and
+    // setgid/setresgid/etc with the root group are false positives.
+    not argumentMayBeRoot(getArgument(0))
+  }
+}
+
+class CallBeforeSetuidWrapperCall extends FunctionCall {
+  CallBeforeSetuidFunctionCall baseCall;
+
+  CallBeforeSetuidWrapperCall() {
+    this = baseCall
+    or
+    exists(CallBeforeSetuidWrapperCall fc |
+      this.getTarget() = fc.getEnclosingFunction() and
+      baseCall = fc.getBaseCall()
+    )
+  }
+
+  CallBeforeSetuidFunctionCall getBaseCall() { result = baseCall }
+}
+
+predicate setuidBeforeSetgid(
+  SetuidLikeWrapperCall setuidWrapper, CallBeforeSetuidWrapperCall setgidWrapper
+) {
+  setgidWrapper.getAPredecessor+() = setuidWrapper
+}
+
+predicate isAccessed(FunctionCall fc) {
+  exists(Variable v | v.getAnAssignedValue() = fc)
+  or
+  exists(Operation c | fc = c.getAChild() | c.isCondition())
+  or
+  // ignore pattern where result is intentionally ignored by a cast to void.
+  fc.hasExplicitConversion()
+}
+
+from Function func, CallBeforeSetuidFunctionCall fc, SetuidLikeFunctionCall setuid
+where
+  setuidBeforeSetgid(setuid, fc) and
+  // Require the call return code to be used in a condition or assigned.
+  // This introduces false negatives where the return is checked but then
+  // errno == EPERM allows execution to continue.
+  not isAccessed(fc) and
+  func = fc.getEnclosingFunction()
+select fc,
+  "This function is called within " + func + ", and potentially after " +
+    "$@, and may not succeed. Be sure to check the return code and errno, otherwise permissions " +
+    "may not be dropped.", setuid, setuid.getTarget().getName()