Setting a SECURITY_DESCRIPTOR’s DACL to NULL

Closing the gap between Semmle & PreFAST This rule is equivalent to C6248
2026-05-05 05:35:13 +02:00 · 2018-09-20 16:28:37 -07:00
parent 6266d8bf01
commit 48c99fb1d1
7 changed files with 202 additions and 0 deletions
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.cpp
@@ -0,0 +1,91 @@
+typedef unsigned long       DWORD;
+typedef unsigned long		ULONG;
+typedef unsigned char       BYTE;
+typedef unsigned short      WORD;
+typedef int                 BOOL;
+typedef void				*PVOID;
+#define TRUE                1
+#define FALSE				0
+#define ERROR_SUCCESS       0L
+#define NULL 				0
+
+typedef PVOID PSECURITY_DESCRIPTOR;
+
+typedef struct _ACL {
+	BYTE  AclRevision;
+	BYTE  Sbz1;
+	WORD   AclSize;
+	WORD   AceCount;
+	WORD   Sbz2;
+} ACL;
+typedef ACL *PACL;
+
+typedef enum _ACCESS_MODE
+{
+	NOT_USED_ACCESS = 0,
+	GRANT_ACCESS,
+	SET_ACCESS,
+	DENY_ACCESS,
+	REVOKE_ACCESS,
+	SET_AUDIT_SUCCESS,
+	SET_AUDIT_FAILURE
+} ACCESS_MODE;
+
+typedef int TRUSTEE_W;
+
+typedef struct _EXPLICIT_ACCESS_W
+{
+	DWORD        grfAccessPermissions;
+	ACCESS_MODE  grfAccessMode;
+	DWORD        grfInheritance;
+	TRUSTEE_W    Trustee;
+} EXPLICIT_ACCESS_W, *PEXPLICIT_ACCESS_W, EXPLICIT_ACCESSW, *PEXPLICIT_ACCESSW;
+
+BOOL
+SetSecurityDescriptorDacl(
+	PSECURITY_DESCRIPTOR pSecurityDescriptor,
+	BOOL bDaclPresent,
+	PACL pDacl,
+	BOOL bDaclDefaulted
+) {
+	return TRUE;
+}
+
+DWORD SetEntriesInAcl(
+	ULONG              cCountOfExplicitEntries,
+	PEXPLICIT_ACCESS_W pListOfExplicitEntries,
+	PACL               OldAcl,
+	PACL               *NewAcl
+)
+{
+	*NewAcl = (PACL)0xFFFFFF;
+	return ERROR_SUCCESS;
+}
+
+void Test()
+{
+	PSECURITY_DESCRIPTOR pSecurityDescriptor;
+	BOOL b;
+	b = SetSecurityDescriptorDacl(pSecurityDescriptor,
+		TRUE,		// Dacl Present
+		NULL,		// NULL pointer to DACL  == BUG
+		FALSE);
+
+	PACL pDacl = NULL;
+	b = SetSecurityDescriptorDacl(pSecurityDescriptor,
+		TRUE,		// Dacl Present
+		pDacl,		// NULL pointer to DACL  == BUG
+		FALSE);
+
+	SetEntriesInAcl(0, NULL, NULL, &pDacl);
+	b = SetSecurityDescriptorDacl(pSecurityDescriptor,
+		TRUE,		// Dacl Present
+		pDacl,		// Should have been set by SetEntriesInAcl ==> should not be flagged
+		FALSE);
+
+	b = SetSecurityDescriptorDacl(pSecurityDescriptor,
+		FALSE,		// Dacl is not Present
+		NULL,		// DACL is going to be removed from security descriptor. Default/inherited access ==> should not be flagged
+		FALSE);
+
+}
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.expected
@@ -0,0 +1,2 @@
+| UnsafeDaclSecurityDescriptor.cpp:69:6:69:30 | call to SetSecurityDescriptorDacl | Setting a SECURITY_DESCRIPTOR\u2019s DACL to NULL will result in an unprotected object. |
+| UnsafeDaclSecurityDescriptor.cpp:75:6:75:30 | call to SetSecurityDescriptorDacl | Setting a SECURITY_DESCRIPTOR\u2019s DACL using variable pDacl that is set to NULL will result in an unprotected object. |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.qlref
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
				`@@ -0,0 +1 @@`
				`Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql`