Null ACL when calling SetSecurityDescriptorDacl may allow all access to objects
Description
When `SetSecurityDescriptorDacl` is called with a null `pDacl` parameter and the `bDaclPresent` flag is `TRUE`, all access to the object is allowed. An attacker could set the object to Deny all, which would include even the Administrator user(s). Either call `SetSecurityDescriptorDacl` with `bDaclPresent` as `FALSE`, or supply a valid non-null `pDacl` parameter value.
Examples
Insecure Code
c
SetSecurityDescriptorDacl(NULL, TRUE);Secure Code
c
SetSecurityDescriptorDacl(validDacl, FALSE);Remediation
Call `SetSecurityDescriptorDacl` with `bDaclPresent` as `FALSE` or supply a valid non-null `pDacl` parameter value.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0598 |
| Category | AccessControl |
| Severity | MEDIUM |
| CWE | CWE-732 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | Access Control, Windows API |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |