CPP: Add query for CWE-273 that detects out-of-order setuid

Ted Reed · Ted Reed · commit 8e1a7fef3078 · 2020-03-05T14:21:32.000-05:00
diff --git a/cpp/ql/src/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.c b/cpp/ql/src/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.c
@@ -0,0 +1,138 @@
+#include <stdlib.h>
+#include <sys/param.h>
+#include <unistd.h>
+#include <pwd.h>
+
+void callSetuidAndCheck(int uid) {
+    if (setuid(uid) != 0) {
+        exit(1);
+    }
+}
+
+void callSetgidAndCheck(int gid) {
+    if (setgid(gid) != 0) {
+        exit(1);
+    }
+}
+
+/// Correct ways to drop priv.
+
+void correctDropPrivInline() {
+    if (setgroups(0, NULL)) {
+        exit(1);
+    }
+
+    if (setgid(-2) != 0) {
+        exit(1);
+    }
+
+    if (setuid(-2) != 0) {
+        exit(1);
+    }
+}
+
+void correctDropPrivInScope() {
+    {
+        if (setgroups(0, NULL)) {
+            exit(1);
+        }
+    }
+
+    {
+        if (setgid(-2) != 0) {
+            exit(1);
+        }
+    }
+
+    {
+        if (setuid(-2) != 0) {
+            exit(1);
+        }
+    }
+}
+
+void correctOrderForInitgroups() {
+    struct passwd *pw = getpwuid(0);
+    if (pw) {
+        if (initgroups(pw->pw_name, -2)) {
+            exit(1);
+        }
+    } else {
+        // Unhandled.
+    }
+    int rc = setuid(-2);
+    if (rc) {
+        exit(1);
+    }
+}
+
+void correctDropPrivInScopeParent() {
+    {
+        callSetgidAndCheck(-2);
+    }
+    correctOrderForInitgroups();
+}
+
+void incorrectNoReturnCodeCheck() {
+    int user = -2;
+    if (user) {
+        if (user) {
+            int rc = setgid(user);
+            (void)rc;
+            initgroups("nobody", user);
+        }
+        if (user) {
+            setuid(user);
+        }
+    }
+}
+
+void correctDropPrivInFunctionCall() {
+    if (setgroups(0, NULL)) {
+        exit(1);
+    }
+
+    callSetgidAndCheck(-2);
+    callSetuidAndCheck(-2);
+}
+
+/// Incorrect, out of order gid and uid.
+/// Calling uid before gid will fail.
+
+void incorrectDropPrivOutOfOrderInline() {
+    if (setuid(-2) != 0) {
+        exit(1);
+    }
+
+    if (setgid(-2) != 0) {
+        exit(1);
+    }
+}
+
+void incorrectDropPrivOutOfOrderInScope() {
+    {
+        if (setuid(-2) != 0) {
+            exit(1);
+        }
+    }
+
+    setgid(-2);
+}
+
+void incorrectDropPrivOutOfOrderWithFunction() {
+    callSetuidAndCheck(-2);
+
+    if (setgid(-2) != 0) {
+        exit(1);
+    }
+}
+
+void incorrectDropPrivOutOfOrderWithFunction2() {
+    callSetuidAndCheck(-2);
+    callSetgidAndCheck(-2);
+}
+
+void incorrectDropPrivNoCheck() {
+    setgid(-2);
+    setuid(-2);
+}
diff --git a/cpp/ql/src/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.qhelp b/cpp/ql/src/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.qhelp
@@ -0,0 +1,35 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The code attempts to drop privilege in an incorrect order by
+erroneous dropping user privilege before groups. This has security
+impact if the return codes are not checked.</p>
+
+<p>False positives include code performing negative checks, making
+sure that setgid or setgroups does not work, meaning permissions are
+dropped. Additionally, other forms of sandboxing may be present removing
+any residual risk, for example a dedicated user namespace.</p>
+
+</overview>
+<recommendation>
+
+<p>Set the new group ID, then set the target user's intended groups by
+dropping previous supplemental source groups and initializing target
+groups, and finally set the target user.</p>
+
+</recommendation>
+<example>
+<p>The following example demonstrates out of order calls.</p>
+<sample src="PrivilegeDroppingOutoforder.c" />
+
+</example>
+<references>
+
+<li>CERT C Coding Standard:
+<a href="https://wiki.sei.cmu.edu/confluence/display/c/POS37-C.+Ensure+that+privilege+relinquishment+is+successful">POS37-C. Ensure that privilege relinquishment is successful</a>.
+</li>
+
+</references>
+</qhelp>
diff --git a/cpp/ql/src/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.ql b/cpp/ql/src/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.ql
@@ -0,0 +1,97 @@
+/**
+ * @name LinuxPrivilegeDroppingOutoforder
+ * @description A syscall commonly associated with privilege dropping is being called out of order.
+                Normally a process drops group ID and sets supplimental groups for the target user
+                before setting the target user ID. This can have security impact if the return code
+                from these methods is not checked.
+ * @kind problem
+ * @problem.severity recommendation
+ * @id cpp/drop-linux-privileges-outoforder
+ * @tags security
+ *       external/cwe/cwe-273
+ * @precision medium
+ */
+
+import cpp
+import semmle.code.cpp.dataflow.TaintTracking
+
+class SetuidLikeFunctionCall extends FunctionCall {
+  SetuidLikeFunctionCall() {
+    // setuid/setresuid with the root user are false positives.
+    getTarget().hasGlobalName("setuid") or
+    getTarget().hasGlobalName("setresuid")
+  }
+}
+
+class SetuidLikeWrapperCall extends FunctionCall {
+  SetuidLikeFunctionCall baseCall;
+
+  SetuidLikeWrapperCall() {
+    this = baseCall or
+    exists(SetuidLikeWrapperCall fc |
+      this.getTarget() = fc.getEnclosingFunction() and
+      baseCall = fc.getBaseCall()
+    )
+  }
+
+  SetuidLikeFunctionCall getBaseCall() {
+    result = baseCall
+  }
+}
+
+class CallBeforeSetuidFunctionCall extends FunctionCall {
+  CallBeforeSetuidFunctionCall() {
+    // setgid/setresgid with the root group are false positives.
+    getTarget().hasGlobalName("setgid") or
+    getTarget().hasGlobalName("setresgid") or
+    // Compatibility may require skipping initgroups and setgroups return checks.
+    // A stricter best practice is to check the result and errnor for EPERM.
+    getTarget().hasGlobalName("initgroups") or
+    getTarget().hasGlobalName("setgroups")
+  }
+}
+
+class CallBeforeSetuidWrapperCall extends FunctionCall {
+  CallBeforeSetuidFunctionCall baseCall;
+
+  CallBeforeSetuidWrapperCall() {
+    this = baseCall or
+    exists(CallBeforeSetuidWrapperCall fc |
+      this.getTarget() = fc.getEnclosingFunction() and
+      baseCall = fc.getBaseCall()
+    )
+  }
+
+  CallBeforeSetuidFunctionCall getBaseCall() {
+    result = baseCall
+  }
+}
+
+predicate setuidBeforeSetgid(
+    SetuidLikeWrapperCall setuidWrapper,
+    CallBeforeSetuidWrapperCall setgidWrapper) {
+  setgidWrapper.getAPredecessor+() = setuidWrapper
+}
+
+predicate flowsToCondition(Expr fc) {
+  exists(DataFlow::Node source, DataFlow::Node sink |
+    TaintTracking::localTaint(source, sink) and
+    fc = source.asExpr() and
+    (sink.asExpr().getParent*().(ControlFlowNode).isCondition() or sink.asExpr().isCondition())
+  )
+}
+
+from
+  Function func,
+  CallBeforeSetuidFunctionCall fc,
+  SetuidLikeFunctionCall setuid
+where
+  setuidBeforeSetgid(setuid, fc) and
+  // Require the call return code to be used in a condition.
+  // This introduces false negatives where the return is checked but then
+  // errno == EPERM allows execution to continue.
+  (not flowsToCondition(fc) or not flowsToCondition(setuid)) and
+  func = fc.getEnclosingFunction()
+select fc, "This function is called within " + func + ", and potentially after " +
+  "$@, and may not succeed. Be sure to check the return code and errno.",
+  setuid, setuid.getTarget().getName()
