Setting a DACL to NULL in a SECURITY_DESCRIPTOR¶

ID: cpp/unsafe-dacl-security-descriptor Kind: problem Security severity: 7.8 Severity: error Precision: high Tags: - security - external/cwe/cwe-732 Query suites: - cpp-code-scanning.qls - cpp-security-extended.qls - cpp-security-and-quality.qls 

Click to see the query in the CodeQL repository

This query indicates that a call is setting the DACL field in a SECURITY_DESCRIPTOR to null.

When using SetSecurityDescriptorDacl to set a discretionary access control (DACL), setting the bDaclPresent argument to TRUE indicates the presence of a DACL in the security description in the argument pDacl.

When the pDacl parameter does not point to a DACL (i.e. it is NULL) and the bDaclPresent flag is TRUE, a NULLDACL is specified.

A NULLDACL grants full access to any user who requests it; normal security checking is not performed with respect to the object.

Recommendation¶

You should not use a NULLDACL with an object because any user can change the DACL and owner of the security descriptor.

Example¶

In the following example, the call to SetSecurityDescriptorDacl is setting an unsafe DACL (NULLDACL) to the security descriptor.

SECURITY_DESCRIPTORpSD;SECURITY_ATTRIBUTESSA;if(!InitializeSecurityDescriptor(&pSD,SECURITY_DESCRIPTOR_REVISION)){// error handling}if(!SetSecurityDescriptorDacl(&pSD,TRUE,// bDaclPresent - this value indicates the presence of a DACL in the security descriptorNULL,// pDacl - the pDacl parameter does not point to a DACL. All access will be allowedFALSE)){// error handling}

To fix this issue, pDacl argument should be a pointer to an ACL structure that specifies the DACL for the security descriptor.

References¶

SetSecurityDescriptorDacl function (Microsoft documentation).
Common Weakness Enumeration: CWE-732.

© GitHub, Inc.
Terms
Privacy