Description
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Modes of Introduction:
– Implementation
Related Weaknesses
Consequences
Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands
Potential Mitigations
Phase: Architecture and Design, Implementation
Description:
Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
Phase: Implementation
Description:
When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.
Phase: Implementation
Description:
Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.
Phase: Implementation
Description:
Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory. Since this is a denylist approach, it might not be a complete solution.
Phase: Implementation
Description:
Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of finding the program using the PATH environment variable, while execl() and execv() require a full path.
CVE References
- CVE-2010-3402
- “DLL hijacking” issue in document editor.
- CVE-2010-3397
- “DLL hijacking” issue in encryption software.
- CVE-2010-3138
- “DLL hijacking” issue in library used by multiple media players.
- CVE-2010-3152
- “DLL hijacking” issue in illustration program.
- CVE-2010-3147
- “DLL hijacking” issue in address book.
- CVE-2010-3135
- “DLL hijacking” issue in network monitoring software.
- CVE-2010-3131
- “DLL hijacking” issue in web browser.
- CVE-2010-1795
- “DLL hijacking” issue in music player/organizer.
- CVE-2002-1576
- Product uses the current working directory to find and execute a program, which allows local users to gain privileges by creating a symlink that points to a malicious version of the program.
- CVE-1999-1461
- Product trusts the PATH environmental variable to find and execute a program, which allows local users to obtain root access by modifying the PATH to point to a malicous version of that program.
- CVE-1999-1318
- Software uses a search path that includes the current working directory (.), which allows local users to gain privileges via malicious programs.
- CVE-2003-0579
- Admin software trusts the user-supplied -uv.install command line option to find and execute the uv.install program, which allows local users to gain privileges by providing a pathname that is under control of the user.
- CVE-2000-0854
- When a document is opened, the directory of that document is first used to locate DLLs , which could allow an attacker to execute arbitrary commands by inserting malicious DLLs into the same directory as the document.
- CVE-2001-0943
- Database trusts the PATH environment variable to find and execute programs, which allows local users to modify the PATH to point to malicious programs.
- CVE-2001-0942
- Database uses an environment variable to find and execute a program, which allows local users to execute arbitrary programs by changing the environment variable.
- CVE-2001-0507
- Server uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a malicious file.
- CVE-2002-2017
- Product allows local users to execute arbitrary code by setting an environment variable to reference a malicious program.
- CVE-1999-0690
- Product includes the current directory in root’s PATH variable.
- CVE-2001-0912
- Error during packaging causes product to include a hard-coded, non-standard directory in search path.
- CVE-2001-0289
- Product searches current working directory for configuration file.
- CVE-2005-1705
- Product searches current working directory for configuration file.
- CVE-2005-1307
- Product executable other program from current working directory.
- CVE-2002-2040
- Untrusted path.
- CVE-2005-2072
- Modification of trusted environment variable leads to untrusted path vulnerability.
- CVE-2005-1632
- Product searches /tmp for modules before other paths.
More Stories
The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them
Apache Tomcat is an open-source web server and servlet container that is widely used in enterprise environments to run Java...
ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows
Zero-day vulnerabilities are a serious threat to cybersecurity, as they can be exploited by malicious actors to gain unauthorized access...
CWE-669 – Incorrect Resource Transfer Between Spheres
Description The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere,...
CWE-67 – Improper Handling of Windows Device Names
Description The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a...
CWE-670 – Always-Incorrect Control Flow Implementation
Description The code contains a control flow path that does not reflect the algorithm that the path is intended to...
CWE-671 – Lack of Administrator Control over Security
Description The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect...