Corgea LogoCorgea Security Hub

CWE-276: Incorrect Default Permissions

Learn about CWE-276 (Incorrect Default Permissions), its security impact, exploitation methods, and prevention guidelines.

What is Incorrect Default Permissions?

• Overview: Incorrect Default Permissions (CWE-276) refers to a security vulnerability where files or directories are installed with permissions that allow unauthorized users to modify them. This typically happens when software is installed with overly permissive settings, allowing more access than necessary.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by modifying files or directories to inject malicious code or overwrite existing data.
  • Common attack patterns include privilege escalation, data tampering, and introducing backdoors into the software.

• Security Impact:

  • Direct consequences of successful exploitation include unauthorized code execution, data corruption, and system compromise.
  • Potential cascading effects include spreading malware, disrupting services, and unauthorized access to sensitive information.
  • Business impact can involve financial loss, reputational damage, regulatory penalties, and loss of customer trust.

• Prevention Guidelines:

  • Specific code-level fixes involve setting file and directory permissions to the least privilege necessary during installation.
  • Security best practices include performing regular permission audits and applying the principle of least privilege.
  • Recommended tools and frameworks include security configuration management tools, automated deployment scripts that enforce secure permissions, and continuous integration/continuous deployment (CI/CD) pipelines with security checks.
Corgea can automatically detect and fix Incorrect Default Permissions in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Medium

Affected Languages: Not Language-Specific

Affected Technologies: Not Technology-Specific, ICS/OT

Vulnerable Code Example

const fs = require('fs');

// Vulnerable code: creating a file with overly permissive permissions
fs.writeFileSync('important.txt', 'important data', { mode: 0o777 });

Explanation: In this example, the file important.txt is created with permissions 0o777. This setting allows any user on the system to read, write, and execute the file. Such permissive permissions can result in unauthorized access or modifications, as any user can alter the file content or execute it if it is a script, potentially leading to security breaches.

How to fix Incorrect Default Permissions?

To address this issue in JavaScript, files should be created with more restrictive permissions. The principle of least privilege dictates that only necessary permissions should be granted. Typically, only the file owner should have read and write permissions, which can be achieved using 0o600. This ensures that only the process owner can modify or read the file, reducing the risk of unauthorized access.

Fixed Code Example

const fs = require('fs');

// Fixed code: creating a file with restrictive permissions
fs.writeFileSync('important.txt', 'important data', { mode: 0o600 });

Explanation: In the corrected code, fs.writeFileSync('important.txt', 'important data', { mode: 0o600 }) sets the file permissions so that only the owner can read and write to the file. This change prevents unauthorized users from accessing or modifying the file, thereby enhancing its security. By adhering to the principle of least privilege, the file is protected from potential misuse.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-276: Incorrect Default Permissions and get remediation guidance

Start for free and no credit card needed.