Relative path library search

From OWASP
Revision as of 08:56, 30 September 2008 by KirstenS (Talk | contribs)

Jump to: navigation, search


This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


Last revision (mm/dd/yy): 09/30/2008

Vulnerabilities Table of Contents

ASDR Table of Contents

Contents


Description

Certain functions perform automatic path searching. The method and results of this path searching may not be as expected. Example: WinExec will use the space character as a delimiter, finding "C:\Program.exe" as an acceptable result for a search for "C:\Program Files\Foo\Bar.exe".

Consequences

  • Authorization: There is the potential for arbitrary code execution with privileges of the vulnerable program.

Exposure period

  • Implementation: This flaw is a simple logic issue, introduced entirely at implementation time.

Platform

  • Languages: Any
  • Operating platforms: Any

Required resources

Any

Severity

High

Likelihood of exploit

High

If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a file as "C:\Program.exe" to be run by a privileged program making use of WinExec.


Risk Factors

TBD

Examples

In C\C++:

UINT errCode = WinExec(
  "C:\\Program Files\\Foo\\Bar",
  SW_SHOW
);

Related Attacks


Related Vulnerabilities

Related Controls

  • Implementation: Use other functions which require explicit paths. Making use of any of the other readily available functions which require explicit paths is a safe way to avoid this problem.


Related Technical Impacts


References

TBD