Possible executable path hijacking

ID

c.command_injection.insecure_api_createprocess

Severity

low

Resource

Command Injection

Language

C / C++

Description

Improper neutralization of special elements used in a command ('Command Injection').

Command injection vulnerabilities occur when an application passes untrusted input to a system shell command without proper validation or sanitization.

Such vulnerabilities allow attackers to execute arbitrary shell commands with the privileges of the user running the application, which may result in complete system compromise.

Attackers exploiting the vulnerability can then install a reverse shell, download and install malware or ransomware, cryptocurrency miners, run database clients for data exfiltration, etc.

Understanding and mitigating this risk is crucial, as it can facilitate data breaches, unauthorized data manipulation, or any type of attack that could be crafted via system commands.

Rationale

Due to how CreateProcess parses spaces, an attacker may exploit this by creating a binary with the same name that is loaded first based on search path order. Ensure quotation marks around the executable path are used.

The following code illustrates a vulnerable pattern detected by this rule:

void bad() {
  STARTUPINFO si;
  PROCESS_INFORMATION pi;
  HANDLE hToken;

  // CreateProcess - relative path in lpApplicationName
  // VULNERABLE: Possible executable path hijacking
  CreateProcess("Evil.exe", "-x", NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);

  // CreateProcess - NULL lpApplicationName, relative path in lpCommandLine
  // VULNERABLE: Possible executable path hijacking
  CreateProcess(NULL, "Evil.exe -x", NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);

  // CreateProcessA - relative path in lpApplicationName
  // VULNERABLE: Possible executable path hijacking
  CreateProcessA("Evil.exe", "-x", NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);

  // CreateProcessA - NULL lpApplicationName, relative path in lpCommandLine
  // VULNERABLE: Possible executable path hijacking
  CreateProcessA(NULL, "Evil.exe -x", NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);

  // CreateProcessW - relative path in lpApplicationName
  // VULNERABLE: Possible executable path hijacking
  CreateProcessW(L"Evil.exe", L"-x", NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);

  // CreateProcessW - NULL lpApplicationName, relative path in lpCommandLine
  // VULNERABLE: Possible executable path hijacking
  CreateProcessW(NULL, L"Evil.exe -x", NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);

  // CreateProcessAsUserA - relative path in lpApplicationName
  // VULNERABLE: Possible executable path hijacking

Remediation

To safeguard against command injection, it is essential to adopt a series of preventive measures:

  1. Avoid Direct Command Execution with Untrusted Input: Avoid using functions for executing shell commands with untrusted inputs. Where command execution is necessary, parameterize inputs as separate command-line arguments, and do not concatenate untrusted inputs into shell commands.

  2. Input Validation and Whitelisting: Perform rigorous input validation to ensure that the input conforms to expected and safe formats. Whitelisting valid input patterns is preferable over blacklisting potentially harmful inputs.

  3. Escape Shell Metacharacters: If the input must be included in a command, ensure any shell metacharacters are properly blacklisted, escaped or sanitized using a dedicated library.

    Characters in { } ( ) < > & * ‘ | = ? ; [ ] ^ $ – # ~ ! . ” % / \ : + , \` are shell metacharacters for most OSes and shells.

    This is difficult to do well, and attackers have many ways of bypassing them so it is not recommended. You have been warned !

By implementing these practices, you can significantly minimize the potential for command injection vulnerabilities, enhancing the application’s resistance to this type of attack.

Configuration

This detector does not need any configuration.

References