CWE-427 对搜索路径元素未加控制

Uncontrolled Search Path Element

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: unkown

基本描述

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

扩展描述

Although this weakness can occur with any type of resource, it is frequently introduced when a product uses a directory search path to find executables or code libraries, but the path contains a directory that can be modified by an attacker, such as "/tmp" or the current working directory.

In Windows-based systems, when the LoadLibrary or LoadLibraryEx function is called with a DLL name that does not contain a fully qualified path, the function follows a search order that includes two path elements that might be uncontrolled:

In some cases, the attack can be conducted remotely, such as when SMB or WebDAV network shares are used.

In some Unix-based systems, a PATH might be created that contains an empty element, e.g. by splicing an empty variable into the PATH. This empty element can be interpreted as equivalent to the current working directory, which might be an untrusted search element.

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

Operating_System: {'cwe_Class': 'OS-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围	影响	注释
['Confidentiality', 'Integrity', 'Availability']	Execute Unauthorized Code or Commands

可能的缓解方案

['Architecture and Design', 'Implementation']

策略: Attack Surface Reduction

Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.

Implementation

策略: Attack Surface Reduction

When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Implementation

策略: Attack Surface Reduction

Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.

Implementation

策略:

Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory. Since this is a blacklist approach, it might not be a complete solution.

Implementation

策略:

Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of finding the program using the PATH environment variable, while execl() and execv() require a full path.

示例代码

例

The following code is from a web application that allows users access to an interface through which they can update their password on the system. In this environment, user passwords can be managed using the Network Information System (NIS), which is commonly used on UNIX systems. When performing NIS updates, part of the process for updating passwords is to run a make command in the /var/yp directory. Performing NIS updates requires extra privileges.

bad Java

...
System.Runtime.getRuntime().exec("make");
...

The problem here is that the program does not specify an absolute path for make and does not clean its environment prior to executing the call to Runtime.exec(). If an attacker can modify the $PATH variable to point to a malicious binary called make and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make will now be run with these privileges, possibly giving the attacker complete control of the system.

分析过的案例

标识	说明	链接
CVE-2010-3402	"DLL hijacking" issue in document editor.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3402
CVE-2010-3397	"DLL hijacking" issue in encryption software.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3397
CVE-2010-3138	"DLL hijacking" issue in library used by multiple media players.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3138
CVE-2010-3152	"DLL hijacking" issue in illustration program.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3152
CVE-2010-3147	"DLL hijacking" issue in address book.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3147
CVE-2010-3135	"DLL hijacking" issue in network monitoring software.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3135
CVE-2010-3131	"DLL hijacking" issue in web browser.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3131
CVE-2010-1795	"DLL hijacking" issue in music player/organizer.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1795
CVE-2002-1576	Product uses the current working directory to find and execute a program, which allows local users to gain privileges by creating a symlink that points to a malicious version of the program.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1576
CVE-1999-1461	Product trusts the PATH environmental variable to find and execute a program, which allows local users to obtain root access by modifying the PATH to point to a malicous version of that program.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1461
CVE-1999-1318	Software uses a search path that includes the current working directory (.), which allows local users to gain privileges via malicious programs.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1318
CVE-2003-0579	Admin software trusts the user-supplied -uv.install command line option to find and execute the uv.install program, which allows local users to gain privileges by providing a pathname that is under control of the user.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0579
CVE-2000-0854	When a document is opened, the directory of that document is first used to locate DLLs , which could allow an attacker to execute arbitrary commands by inserting malicious DLLs into the same directory as the document.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0854
CVE-2001-0943	Database trusts the PATH environment variable to find and execute programs, which allows local users to modify the PATH to point to malicious programs.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0943
CVE-2001-0942	Database uses an environment variable to find and execute a program, which allows local users to execute arbitrary programs by changing the environment variable.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0942
CVE-2001-0507	Server uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a malicious file.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0507
CVE-2002-2017	Product allows local users to execute arbitrary code by setting an environment variable to reference a malicious program.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2017
CVE-1999-0690	Product includes the current directory in root's PATH variable.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0690
CVE-2001-0912	Error during packaging causes product to include a hard-coded, non-standard directory in search path.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0912
CVE-2001-0289	Product searches current working directory for configuration file.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0289
CVE-2005-1705	Product searches current working directory for configuration file.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1705
CVE-2005-1307	Product executable other program from current working directory.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1307
CVE-2002-2040	Untrusted path.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2040
CVE-2005-2072	Modification of trusted environment variable leads to untrusted path vulnerability.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2072
CVE-2005-1632	Product searches /tmp for modules before other paths.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1632

Notes

Relationship Unlike untrusted search path (CWE-426), which inherently involves control over the definition of a control sphere (i.e., modification of a search path), this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control (i.e., the search path cannot be modified by an attacker, but one element of the path can be under attacker control). Maintenance This weakness is not a clean fit under CWE-668 or CWE-610, which suggests that the control sphere model might need enhancement or clarification.

分类映射

映射的分类名	ImNode ID	Fit	Mapped Node Name
PLOVER			Uncontrolled Search Path Element

VULHUB ™

CWE-427 对搜索路径元素未加控制

Uncontrolled Search Path Element

基本描述

扩展描述

相关缺陷

适用平台

常见的影响

可能的缓解方案

['Architecture and Design', 'Implementation']

Implementation

Implementation

Implementation

Implementation

示例代码

例

分析过的案例

Notes

分类映射

相关攻击模式

引用