CWE-43 – Path Equivalence: ‘filename….’ (Multiple Trailing Dot)

Read Time:26 Second

Description

A software system that accepts path input in the form of multiple trailing dot (‘filedir….’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-42
CWE-163

 

Consequences

Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories

 

Potential Mitigations

CVE References

CWE-428 – Unquoted Search Path or Element

Read Time:1 Minute, 15 Second

Description

The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.

If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a file as “C:Program.exe” to be run by a privileged program making use of WinExec.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-668
CWE-668

 

Consequences

Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Implementation

Description: 

Properly quote the full search path before executing a program on the system.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2005-1185
    • Small handful of others. Program doesn’t quote the “C:Program Files” path when calling a program to be executed – or any other path with a directory or file whose name contains a space – so attacker can put a malicious program.exe into C:.
  • CVE-2005-2938
    • CreateProcess() and CreateProcessAsUser() can be misused by applications to allow “program.exe” style attacks in C:
  • CVE-2000-1128
    • Applies to “Common Files” folder, with a malicious common.exe, instead of “Program Files”/program.exe.

CWE-427 – Uncontrolled Search Path Element

Read Time:3 Minute, 54 Second

Description

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-668
CWE-668

 

Consequences

Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Architecture and Design, Implementation

Description: 

Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.

Phase: Implementation

Description: 

When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Phase: Implementation

Description: 

Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.

Phase: Implementation

Description: 

Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory. Since this is a denylist approach, it might not be a complete solution.

Phase: Implementation

Description: 

Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of finding the program using the PATH environment variable, while execl() and execv() require a full path.

CVE References

  • CVE-2010-3397
    • “DLL hijacking” issue in encryption software.
  • CVE-2010-3138
    • “DLL hijacking” issue in library used by multiple media players.
  • CVE-2010-3152
    • “DLL hijacking” issue in illustration program.
  • CVE-2010-3135
    • “DLL hijacking” issue in network monitoring software.
  • CVE-2010-1795
    • “DLL hijacking” issue in music player/organizer.
  • CVE-2002-1576
    • Product uses the current working directory to find and execute a program, which allows local users to gain privileges by creating a symlink that points to a malicious version of the program.
  • CVE-1999-1461
    • Product trusts the PATH environmental variable to find and execute a program, which allows local users to obtain root access by modifying the PATH to point to a malicous version of that program.
  • CVE-1999-1318
    • Software uses a search path that includes the current working directory (.), which allows local users to gain privileges via malicious programs.
  • CVE-2003-0579
    • Admin software trusts the user-supplied -uv.install command line option to find and execute the uv.install program, which allows local users to gain privileges by providing a pathname that is under control of the user.
  • CVE-2000-0854
    • When a document is opened, the directory of that document is first used to locate DLLs , which could allow an attacker to execute arbitrary commands by inserting malicious DLLs into the same directory as the document.
  • CVE-2001-0943
    • Database trusts the PATH environment variable to find and execute programs, which allows local users to modify the PATH to point to malicious programs.
  • CVE-2001-0942
    • Database uses an environment variable to find and execute a program, which allows local users to execute arbitrary programs by changing the environment variable.
  • CVE-2001-0507
    • Server uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a malicious file.
  • CVE-2002-2017
    • Product allows local users to execute arbitrary code by setting an environment variable to reference a malicious program.
  • CVE-1999-0690
    • Product includes the current directory in root’s PATH variable.
  • CVE-2001-0912
    • Error during packaging causes product to include a hard-coded, non-standard directory in search path.
  • CVE-2001-0289
    • Product searches current working directory for configuration file.
  • CVE-2005-1705
    • Product searches current working directory for configuration file.
  • CVE-2005-1307
    • Product executable other program from current working directory.
  • CVE-2005-2072
    • Modification of trusted environment variable leads to untrusted path vulnerability.
  • CVE-2005-1632
    • Product searches /tmp for modules before other paths.

CWE-426 – Untrusted Search Path

Read Time:2 Minute, 28 Second

Description

The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application’s direct control.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-642
CWE-668
CWE-673
CWE-427
CWE-428

 

Consequences

Integrity, Confidentiality, Availability, Access Control: Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands

There is the potential for arbitrary code execution with privileges of the vulnerable program.

Availability: DoS: Crash, Exit, or Restart

The program could be redirected to the wrong files, potentially triggering a crash or hang when the targeted file is too large or does not have the expected format.

Confidentiality: Read Files or Directories

The program could send the output of unauthorized files to the attacker.

 

Potential Mitigations

Phase: Architecture and Design, Implementation

Description: 

Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.

Phase: Implementation

Description: 

When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Phase: Implementation

Description: 

Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.

Phase: Implementation

Description: 

Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory.

Phase: Implementation

Description: 

Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.

CVE References

  • CVE-1999-1120
    • Application relies on its PATH environment variable to find and execute program.
  • CVE-2008-1810
    • Database application relies on its PATH environment variable to find and execute program.
  • CVE-2007-2027
    • Chain: untrusted search path enabling resultant format string by loading malicious internationalization messages.
  • CVE-2008-3485
    • Untrusted search path using malicious .EXE in Windows environment.
  • CVE-2008-2613
    • setuid program allows compromise using path that finds and loads a malicious library.
  • CVE-2008-1319
    • Server allows client to specify the search path, which can be modified to point to a program that the client has uploaded.

CWE-425 – Direct Request (‘Forced Browsing’)

Read Time:1 Minute, 11 Second

Description

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-862
CWE-862
CWE-288
CWE-424
CWE-471
CWE-98

 

Consequences

Confidentiality, Integrity, Availability, Access Control: Read Application Data, Modify Application Data, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity

 

Potential Mitigations

Phase: Architecture and Design, Operation

Description: 

Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.

Phase: Architecture and Design

Description: 

Consider using MVC based frameworks such as Struts.

CVE References

  • CVE-2005-1892
    • Infinite loop or infoleak triggered by direct requests.
  • CVE-2005-1668
    • Access privileged functionality using direct request.

CWE-424 – Improper Protection of Alternate Path

Read Time:20 Second

Description

The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-693
CWE-638

 

Consequences

Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Deploy different layers of protection to implement security in depth.

CVE References

CWE-422 – Unprotected Windows Messaging Channel (‘Shatter’)

Read Time:52 Second

Description

The software does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-420
CWE-360

 

Consequences

Access Control: Gain Privileges or Assume Identity, Bypass Protection Mechanism

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Always verify and authenticate the source of the message.

CVE References

  • CVE-2003-0350
    • A control allows a change to a pointer for a callback function using Windows message.
  • CVE-2003-0908
    • Product launches Help functionality while running with raised privileges, allowing command execution using Windows message to access “open file” dialog.
  • CVE-2004-0213
    • Attacker uses Shatter attack to bypass GUI-enforced protection for CVE-2003-0908.
  • CVE-2004-0207
    • User can call certain API functions to modify certain properties of privileged programs.

CWE-421 – Race Condition During Access to Alternate Channel

Read Time:33 Second

Description

The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors.

This creates a race condition that allows an attacker to access the channel before the authorized user does.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-420
CWE-362

 

Consequences

Access Control: Gain Privileges or Assume Identity, Bypass Protection Mechanism

 

Potential Mitigations

CVE References

  • CVE-1999-0351
    • FTP “Pizza Thief” vulnerability. Attacker can connect to a port that was intended for use by another client.
  • CVE-2003-0230
    • Product creates Windows named pipe during authentication that another attacker can hijack by connecting to it.

CWE-420 – Unprotected Alternate Channel

Read Time:1 Minute, 2 Second

Description

The software protects a primary channel, but it does not use the same level of protection for an alternate channel.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-923

 

Consequences

Access Control: Gain Privileges or Assume Identity, Bypass Protection Mechanism

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Identify all alternate channels and use the same protection mechanisms that are used for the primary channels.

CVE References

  • CVE-2002-0567
    • DB server assumes that local clients have performed authentication, allowing attacker to directly connect to a process to load libraries and execute commands; a socket interface also exists (another alternate channel), so attack can be remote.
  • CVE-2002-1578
    • Product does not restrict access to underlying database, so attacker can bypass restrictions by directly querying the database.
  • CVE-2003-1035
    • User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing.
  • CVE-2002-1863
    • FTP service can not be disabled even when other access controls would require it.
  • CVE-2002-0066
    • Windows named pipe created without authentication/access control, allowing configuration modification.
  • CVE-2004-1461
    • Router management interface spawns a separate TCP connection after authentication, allowing hijacking by attacker coming from the same IP address.