Difference between revisions of "Relative path library search"

From OWASP
Jump to: navigation, search
Line 2: Line 2:
  
 
{{Template:Vulnerability}}
 
{{Template:Vulnerability}}
 +
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  

Revision as of 08:55, 30 September 2008


This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


Last revision (mm/dd/yy): 09/30/2008Vulnerabilities Table of Contents

ASDR Table of Contents

Contents


Description

Certain functions perform automatic path searching. The method and results of this path searching may not be as expected. Example: WinExec will use the space character as a delimiter, finding "C:\Program.exe" as an acceptable result for a search for "C:\Program Files\Foo\Bar.exe".

Consequences

  • Authorization: There is the potential for arbitrary code execution with privileges of the vulnerable program.

Exposure period

  • Implementation: This flaw is a simple logic issue, introduced entirely at implementation time.

Platform

  • Languages: Any
  • Operating platforms: Any

Required resources

Any

Severity

High

Likelihood of exploit

High

If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a file as "C:\Program.exe" to be run by a privileged program making use of WinExec.


Risk Factors

TBD

Examples

In C\C++:

UINT errCode = WinExec(
  "C:\\Program Files\\Foo\\Bar",
  SW_SHOW
);

Related Attacks


Related Vulnerabilities

Related Controls

  • Implementation: Use other functions which require explicit paths. Making use of any of the other readily available functions which require explicit paths is a safe way to avoid this problem.


Related Technical Impacts


References

TBD