String parameter in file path

The use of a string parameters in a file path is potentially dangerous, since it can expose critical data to malicious attack. The SV.STR_PAR.UNDESIRED_STRING_PARAMETER checker finds instances of file manipulation functions that use absolute paths with string parameters.

Vulnerability and risk

An information exposure can occur when system data or debugging information leaves the program through an output stream or logging function that makes it accessible to unauthorized parties. The vulnerability can be caused due to an input validation error. In this case, it's possible for an attacker to escape the root and retrieve or place arbitrary files on the system through directory traversal attacks using the "\.." character sequence. It's also possible to disclose the absolute path of the root by attempting to retrieve a nonexistent file.

The response to this type of error can reveal detailed system information and possibly result in failing security mechanisms and denial-of-service (DoS) attacks.

Mitigation and prevention

To avoid this vulnerability:

  • review filename manipulation for the use of string parameters
  • make sure that stack traces and error messages are directly committed to a log that is not viewable by the user
  • ensure that error messages don't expose path information that can be used in malicious attacks

Vulnerable code example

1  int main(int argc, char *argv[])
2  {
3      int fh;
4      fh = creat( "/usr/bin/ls", _S_IREAD | _S_IWRITE );
5      if ( fh == -1 )
6          return -1;
7      else
8      {
9          write(fh, argv[1], sizeof(argv[1]));
10         close( fh );
11         return 0;
12     }
13 }

Klocwork produces an issue report at line 4, indicating that the call to 'creat' uses a potentially dangerous string parameter in the file path.

Security training

Application security training materials provided by Secure Code Warrior.