Relative path library search
This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.
Last revision (mm/dd/yy): 02/28/2009
Vulnerabilities Table of Contents
Description
Certain functions perform automatic path searching. The method and results of this path searching may not be as expected. Example: WinExec will use the space character as a delimiter, finding "C:\Program.exe" as an acceptable result for a search for "C:\Program Files\Foo\Bar.exe".
Consequences
- Authorization: There is the potential for arbitrary code execution with privileges of the vulnerable program.
Exposure period
- Implementation: This flaw is a simple logic issue, introduced entirely at implementation time.
Platform
- Languages: Any
- Operating platforms: Any
Required resources
Any
Severity
High
Likelihood of exploit
High
If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a file as "C:\Program.exe" to be run by a privileged program making use of WinExec.
Risk Factors
TBD
Examples
In C\C++:
UINT errCode = WinExec( "C:\\Program Files\\Foo\\Bar", SW_SHOW );
Related Attacks
Related Vulnerabilities
Related Controls
- Implementation: Use other functions which require explicit paths. Making use of any of the other readily available functions which require explicit paths is a safe way to avoid this problem.
Related Technical Impacts
References
TBD
