Setting a DACL to NULL in a SECURITY_DESCRIPTOR¶
ID: cpp/unsafe-dacl-security-descriptor
Kind: problem
Security severity: 7.8
Severity: error
Precision: high
Tags:
- security
- external/cwe/cwe-732
Query suites:
- cpp-code-scanning.qls
- cpp-security-extended.qls
- cpp-security-and-quality.qls
Click to see the query in the CodeQL repository
This query indicates that a call is setting the DACL field in a SECURITY_DESCRIPTOR to null.
When using SetSecurityDescriptorDacl to set a discretionary access control (DACL), setting the bDaclPresent argument to TRUE indicates the presence of a DACL in the security description in the argument pDacl.
When the pDacl parameter does not point to a DACL (i.e. it is NULL) and the bDaclPresent flag is TRUE, a NULL DACL is specified.
A NULL DACL grants full access to any user who requests it; normal security checking is not performed with respect to the object.
Recommendation¶
You should not use a NULL DACL with an object because any user can change the DACL and owner of the security descriptor.
Example¶
In the following example, the call to SetSecurityDescriptorDacl is setting an unsafe DACL (NULL DACL) to the security descriptor.
SECURITY_DESCRIPTOR pSD;
SECURITY_ATTRIBUTES SA;
if (!InitializeSecurityDescriptor(&pSD, SECURITY_DESCRIPTOR_REVISION))
{
// error handling
}
if (!SetSecurityDescriptorDacl(&pSD,
TRUE, // bDaclPresent - this value indicates the presence of a DACL in the security descriptor
NULL, // pDacl - the pDacl parameter does not point to a DACL. All access will be allowed
FALSE))
{
// error handling
}
To fix this issue, pDacl argument should be a pointer to an ACL structure that specifies the DACL for the security descriptor.
References¶
SetSecurityDescriptorDacl function (Microsoft documentation).
Common Weakness Enumeration: CWE-732.