Execution of a binary from a relative path can be controlled by an external actor

Command with relative path is vulnerable to malicious attack

expand all in page

Description

This defect occurs when you call an external command with a relative path or without a path.

This defect also finds results that the Execution of externally controlled command defect checker finds.

Risk

By using a relative path or no path to call an external command, your program uses an unsafe search process to find the command. An attacker can control the search process and replace the intended command with a command of their own.

Fix

When you call an external command, specify the full path.

Examples

expand all

# define _GNU_SOURCE
# include <sys/types.h>
# include <sys/socket.h>
# include <unistd.h>
# include <stdio.h>
# include <stdlib.h>
# include <wchar.h>
# include <string.h>
# define MAX_BUFFER 100

void rel_path()
{
    char * data;
    char data_buf[MAX_BUFFER] = "";
    data = data_buf;

    strcpy(data, "ls -la");
    FILE *pipe;
    pipe = popen(data, "wb"); 
    if (pipe != NULL) pclose(pipe);
}

In this example, Bug Finder flags popen because it tries to call ls -la using a relative path to the ls command. An attacker can manipulate the command to use a malicious version.

Correction — Use Full Path

One possible correction is to use the full path when calling the command.

# define _GNU_SOURCE
# include <sys/types.h>
# include <sys/socket.h>
# include <unistd.h>
# include <stdio.h>
# include <stdlib.h>
# include <wchar.h>
# include <string.h>
# define MAX_BUFFER 100

void rel_path()
{
    char * data;
    char data_buf[MAX_BUFFER] = "";
    data = data_buf;

    strcpy(data, "/usr/bin/ls -la");
    FILE *pipe;
    pipe = popen(data, "wb");  
    if (pipe != NULL) pclose(pipe);
}

Result Information

Group: Security
Language: C | C++
Default: Off
Command-Line Syntax: RELATIVE_PATH_CMD
Impact: Medium
PQL Name: std.defects.RELATIVE_PATH_CMD

Version History

Introduced in R2015b

See Also

| | | |

Topics