CWE-427 – Uncontrolled Search Path Element

Read Time:3 Minute, 54 Second

Description

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-668
CWE-668

 

Consequences

Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Architecture and Design, Implementation

Description: 

Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.

Phase: Implementation

Description: 

When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Phase: Implementation

Description: 

Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.

Phase: Implementation

Description: 

Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory. Since this is a denylist approach, it might not be a complete solution.

Phase: Implementation

Description: 

Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of finding the program using the PATH environment variable, while execl() and execv() require a full path.

CVE References

  • CVE-2010-3397
    • “DLL hijacking” issue in encryption software.
  • CVE-2010-3138
    • “DLL hijacking” issue in library used by multiple media players.
  • CVE-2010-3152
    • “DLL hijacking” issue in illustration program.
  • CVE-2010-3135
    • “DLL hijacking” issue in network monitoring software.
  • CVE-2010-1795
    • “DLL hijacking” issue in music player/organizer.
  • CVE-2002-1576
    • Product uses the current working directory to find and execute a program, which allows local users to gain privileges by creating a symlink that points to a malicious version of the program.
  • CVE-1999-1461
    • Product trusts the PATH environmental variable to find and execute a program, which allows local users to obtain root access by modifying the PATH to point to a malicous version of that program.
  • CVE-1999-1318
    • Software uses a search path that includes the current working directory (.), which allows local users to gain privileges via malicious programs.
  • CVE-2003-0579
    • Admin software trusts the user-supplied -uv.install command line option to find and execute the uv.install program, which allows local users to gain privileges by providing a pathname that is under control of the user.
  • CVE-2000-0854
    • When a document is opened, the directory of that document is first used to locate DLLs , which could allow an attacker to execute arbitrary commands by inserting malicious DLLs into the same directory as the document.
  • CVE-2001-0943
    • Database trusts the PATH environment variable to find and execute programs, which allows local users to modify the PATH to point to malicious programs.
  • CVE-2001-0942
    • Database uses an environment variable to find and execute a program, which allows local users to execute arbitrary programs by changing the environment variable.
  • CVE-2001-0507
    • Server uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a malicious file.
  • CVE-2002-2017
    • Product allows local users to execute arbitrary code by setting an environment variable to reference a malicious program.
  • CVE-1999-0690
    • Product includes the current directory in root’s PATH variable.
  • CVE-2001-0912
    • Error during packaging causes product to include a hard-coded, non-standard directory in search path.
  • CVE-2001-0289
    • Product searches current working directory for configuration file.
  • CVE-2005-1705
    • Product searches current working directory for configuration file.
  • CVE-2005-1307
    • Product executable other program from current working directory.
  • CVE-2005-2072
    • Modification of trusted environment variable leads to untrusted path vulnerability.
  • CVE-2005-1632
    • Product searches /tmp for modules before other paths.