*** Welcome to piglix ***

Confused deputy problem


A confused deputy is a computer program that is innocently fooled by some other party into misusing its authority. It is a specific type of privilege escalation. In information security, the confused deputy problem is often cited as an example of why capability-based security is important, as capability systems protect against this, whereas access control list-based systems do not.

In the original example of a confused deputy, there is a program that provides compilation services to other programs. Normally, the client program specifies the name of the input and output files, and the server is given the same access to those files that the client has.

The compiler service is pay-per-use, and the compiler service stores its billing information in a file (dubbed BILL) that only it has access to.

Now suppose a client calls the service and names its output file BILL. The service opens the output file. Even though the client did not have access to that file, the service does, so the open succeeds, and the server writes the compilation output to the file, overwriting it, and thus destroying the billing information.

In this example, the compilation service is the deputy because it is acting at the request of the client. It is confused because it was tricked into overwriting its billing file.

Whenever a program tries to access a file, the operating system needs to know two things: which file the program is asking for, and whether the program has permission to access the file. In the example, the file is designated by its name, “BILL”. The server receives the file name from the client, but does not know whether the client had permission to write the file. When the server opens the file, the system uses the server’s permission, not the client’s. When the file name was passed from the client to the server, the permission did not go along with it; the permission was increased by the system silently and automatically.

It is not essential to the attack that the billing file is designated by a name represented as a string. The essential points are that:

Confidence trick based scams are based on gaining the trust of a victim in order for an attacker to use them as a confused deputy. For example, in Salting, an attacker presents a victim with what appears to be a mineral-rich mine. In this case an attacker is using a victim's greed to persuade them to perform an action that the victim would not normally do.


...
Wikipedia

...