Unquoted Search Path or Element
Draft Base
Structure: Simple
Description
The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a file as "C:\Program.exe" to be run by a privileged program making use of WinExec.
Common Consequences 1
Scope: ConfidentialityIntegrityAvailability
Impact: Execute Unauthorized Code or Commands
Potential Mitigations 3
Phase: Implementation
Properly quote the full search path before executing a program on the system.
Phase: Implementation
Strategy: Input Validation
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Phase: Implementation
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (Incorrect Behavior Order: Validate Before Canonicalize). Make sure that the application does not decode the same input twice (Double Decoding of the Same Data). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Demonstrative Examples 1
The following example demonstrates the weakness.
Code Example:
Bad
C
cObserved Examples 3
CVE-2005-1185Small handful of others. Program doesn't quote the "C:\Program Files\" path when calling a program to be executed - or any other path with a directory or file whose name contains a space - so attacker can put a malicious program.exe into C:.
CVE-2005-2938CreateProcess() and CreateProcessAsUser() can be misused by applications to allow "program.exe" style attacks in C:
CVE-2000-1128Applies to "Common Files" folder, with a malicious common.exe, instead of "Program Files"/program.exe.
References 1
The Art of Software Security Assessment
Mark Dowd, John McDonald, and Justin Schuh
Addison Wesley
2006
ID: REF-62
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Functional Areas
- Program Invocation
Related Weaknesses
Taxonomy Mapping
- PLOVER
Notes
Applicable Platform
This weakness could apply to any OS that supports spaces in filenames, especially any OS that make it easy for a user to insert spaces into filenames or folders, such as Windows. While spaces are technically supported in Unix, the practice is generally avoided. .
Maintenance
This weakness primarily involves the lack of quoting, which is not explicitly stated as a part of Improper Encoding or Escaping of Output. Improper Encoding or Escaping of Output also describes output in light of structured messages, but the generation of a filename or search path (as in this weakness) might not be considered a structured message.
An additional complication is the relationship to control spheres. Unlike untrusted search path (Untrusted Search Path), which inherently involves control over the definition of a control sphere, this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control. This is not a clean fit under Exposure of Resource to Wrong Sphere or Externally Controlled Reference to a Resource in Another Sphere, which suggests that the control sphere model needs enhancement or clarification.