SV.PCC.MODIFIED_BEFORE_CREATE

Insecure modification of temporary filename

If temporary files are created or used insecurely, application and system data can be left open to attack. Dangerous data can be injected into the application, or data stored in the temporary file can be accessed, modified, or corrupted. The SV.PCC.MODIFIED_BEFORE_CREATE checker flags situations in which the temporary filename buffer is changed before the call to CreateFile.

Vulnerability and risk

Temporary file vulnerability is a very common security issue. The Mitre Corp. security alert database lists over 200 reports of this type. The temporary file vulnerability can be exploited to escalate privilege or manipulate critical information.

Mitigation and prevention

To avoid this vulnerability:

  • Use GetTempPath and GetTempFileName to ensure random name creation
  • Review the least privilege settings for temporary files

Fixed code example

Copy
     //  Gets the temp path env string (no guarantee it's a valid path).
    dwRetVal = GetTempPath(MAX_PATH,          // length of the buffer
                           lpTempPathBuffer); // buffer for path 
    if (dwRetVal > MAX_PATH || (dwRetVal == 0))
    {
        PrintError(TEXT("GetTempPath failed"));
        if (!CloseHandle(hFile))
        {
            PrintError(TEXT("CloseHandle(hFile) failed"));
           return (7);
       }
       return (2);
   }
   //  Generates a temporary file name. 
   uRetVal = GetTempFileName(lpTempPathBuffer, // directory for tmp files
                             TEXT("DEMO"),     // temp file name prefix 
                             0,                // create unique name 
                             szTempFileName);  // buffer for name 
   if (uRetVal == 0)
   {
       PrintError(TEXT("GetTempFileName failed"));
       if (!CloseHandle(hFile))
       {
           PrintError(TEXT("CloseHandle(hFile) failed"));
           return (7);
       }
       return (3);
   }
   //  Creates the new file to write to for the upper-case version.
   hTempFile = CreateFile((LPTSTR) szTempFileName, // file name 
                          GENERIC_WRITE,        // open for write 
                          0,                    // do not share 
                          NULL,                 // default security 
                          CREATE_ALWAYS,        // overwrite existing
                          FILE_ATTRIBUTE_TEMPORARY, // temporary storage 
                          NULL);                // no template 
   if (hTempFile == INVALID_HANDLE_VALUE) 
   { 
       PrintError(TEXT("Second CreateFile failed"));
       if (!CloseHandle(hFile))
       {
           PrintError(TEXT("CloseHandle(hFile) failed"));
           return (7);
       }
       return (4);
   } 

This is an example of code that follows good practices in creating temporary files. With secure temporary filenames, you don't run the risk of leaving the application or system data open to attack.

Security training

Application security training materials provided by Secure Code Warrior.