CWE-427 对搜索路径元素未加控制

Uncontrolled Search Path Element

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: unkown

基本描述

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

扩展描述

Although this weakness can occur with any type of resource, it is frequently introduced when a product uses a directory search path to find executables or code libraries, but the path contains a directory that can be modified by an attacker, such as "/tmp" or the current working directory.

In Windows-based systems, when the LoadLibrary or LoadLibraryEx function is called with a DLL name that does not contain a fully qualified path, the function follows a search order that includes two path elements that might be uncontrolled:

In some cases, the attack can be conducted remotely, such as when SMB or WebDAV network shares are used.

In some Unix-based systems, a PATH might be created that contains an empty element, e.g. by splicing an empty variable into the PATH. This empty element can be interpreted as equivalent to the current working directory, which might be an untrusted search element.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 668 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 668 cwe_View_ID: 1003 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

Operating_System: {'cwe_Class': 'OS-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
['Confidentiality', 'Integrity', 'Availability'] Execute Unauthorized Code or Commands

可能的缓解方案

['Architecture and Design', 'Implementation']

策略: Attack Surface Reduction

Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.

Implementation

策略: Attack Surface Reduction

When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Implementation

策略: Attack Surface Reduction

Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.

Implementation

策略:

Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory. Since this is a blacklist approach, it might not be a complete solution.

Implementation

策略:

Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of finding the program using the PATH environment variable, while execl() and execv() require a full path.

示例代码

The following code is from a web application that allows users access to an interface through which they can update their password on the system. In this environment, user passwords can be managed using the Network Information System (NIS), which is commonly used on UNIX systems. When performing NIS updates, part of the process for updating passwords is to run a make command in the /var/yp directory. Performing NIS updates requires extra privileges.

bad Java

...
System.Runtime.getRuntime().exec("make");
...

The problem here is that the program does not specify an absolute path for make and does not clean its environment prior to executing the call to Runtime.exec(). If an attacker can modify the $PATH variable to point to a malicious binary called make and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make will now be run with these privileges, possibly giving the attacker complete control of the system.

分析过的案例

标识 说明 链接
CVE-2010-3402 "DLL hijacking" issue in document editor. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3402
CVE-2010-3397 "DLL hijacking" issue in encryption software. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3397
CVE-2010-3138 "DLL hijacking" issue in library used by multiple media players. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3138
CVE-2010-3152 "DLL hijacking" issue in illustration program. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3152
CVE-2010-3147 "DLL hijacking" issue in address book. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3147
CVE-2010-3135 "DLL hijacking" issue in network monitoring software. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3135
CVE-2010-3131 "DLL hijacking" issue in web browser. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3131
CVE-2010-1795 "DLL hijacking" issue in music player/organizer. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1795
CVE-2002-1576 Product uses the current working directory to find and execute a program, which allows local users to gain privileges by creating a symlink that points to a malicious version of the program. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1576
CVE-1999-1461 Product trusts the PATH environmental variable to find and execute a program, which allows local users to obtain root access by modifying the PATH to point to a malicous version of that program. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1461
CVE-1999-1318 Software uses a search path that includes the current working directory (.), which allows local users to gain privileges via malicious programs. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1318
CVE-2003-0579 Admin software trusts the user-supplied -uv.install command line option to find and execute the uv.install program, which allows local users to gain privileges by providing a pathname that is under control of the user. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0579
CVE-2000-0854 When a document is opened, the directory of that document is first used to locate DLLs , which could allow an attacker to execute arbitrary commands by inserting malicious DLLs into the same directory as the document. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0854
CVE-2001-0943 Database trusts the PATH environment variable to find and execute programs, which allows local users to modify the PATH to point to malicious programs. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0943
CVE-2001-0942 Database uses an environment variable to find and execute a program, which allows local users to execute arbitrary programs by changing the environment variable. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0942
CVE-2001-0507 Server uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a malicious file. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0507
CVE-2002-2017 Product allows local users to execute arbitrary code by setting an environment variable to reference a malicious program. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2017
CVE-1999-0690 Product includes the current directory in root's PATH variable. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0690
CVE-2001-0912 Error during packaging causes product to include a hard-coded, non-standard directory in search path. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0912
CVE-2001-0289 Product searches current working directory for configuration file. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0289
CVE-2005-1705 Product searches current working directory for configuration file. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1705
CVE-2005-1307 Product executable other program from current working directory. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1307
CVE-2002-2040 Untrusted path. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2040
CVE-2005-2072 Modification of trusted environment variable leads to untrusted path vulnerability. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2072
CVE-2005-1632 Product searches /tmp for modules before other paths. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1632

Notes

Relationship Unlike untrusted search path (CWE-426), which inherently involves control over the definition of a control sphere (i.e., modification of a search path), this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control (i.e., the search path cannot be modified by an attacker, but one element of the path can be under attacker control). Maintenance This weakness is not a clean fit under CWE-668 or CWE-610, which suggests that the control sphere model might need enhancement or clarification.

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
PLOVER Uncontrolled Search Path Element

相关攻击模式

  • CAPEC-38
  • CAPEC-471

引用