CWE-520 .NET误配置:使用伪装

.NET Misconfiguration: Use of Impersonation

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: unkown

基本描述

Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks.

扩展描述

.NET server applications can optionally execute using the identity of the user authenticated to the client. The intention of this functionality is to bypass authentication and access control checks within the .NET application code. Authentication is done by the underlying web server (Microsoft Internet Information Service IIS), which passes the authenticated token, or unauthenticated anonymous token, to the .NET application. Using the token to impersonate the client, the application then relies on the settings within the NTFS directories and files to control access. Impersonation enables the application, on the server running the .NET application, to both execute code and access resources in the context of the authenticated and authorized user.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 266 cwe_View_ID: 1000 cwe_Ordinal: Primary

常见的影响

范围 影响 注释
Access Control Gain Privileges or Assume Identity

可能的缓解方案

Operation

策略:

Run the application with limited privilege to the underlying operating and file system.