SV.USAGERULES.PROCESS_VARIANTS

Exposure to privilege escalation in process

This checker only reports issues on Windows platforms.

Some process-creation system calls provide exposure to local privilege escalation. These calls are prone to attacks that allow execution of malicious code with the privileges of the host process. The SV.USAGERULES.PROCESS_VARIANTS checker flags the following system calls:

  • CreateProcess
  • CreateProcessAsUser
  • CreateProcessWithLogon
  • ShellExecute
  • ShellExecuteEx
  • WinExec
  • system
  • _wsystem
  • _*exec*
  • _*spawn*

Vulnerability and risk

If a process-creation system call doesn't contain the full path of the .exe executable properly before calling the process-creation API, it creates an opportunity for attack. A search path vulnerability can allow local users to gain privileges using a malicious .exe file.

Mitigation and prevention

To prevent exposure, use fork (not vfork), execve, and pipes to control process execution completely.

Vulnerable code example 1

In this example, Klocwork flags the use of the function execlp in line 4. This system call provides possible exposure to local privilege escalation through a malicious .exe file.

1   #include <process.h>
2    
3   void foo() {
4       _execlp("li", "li", "-al", 0);
5       _wexeclp((wchar_t *)"li", (wchar_t *)"li", (wchar_t *)"-al", 0);
6   }

Fixed code example 1

In the fixed code, the function execlp has been replaced by execve, which controls process execution, eliminating the possibility of privilege escalation.

1  #include <process.h>
2  void foo() {
3     execve("li", "li", "-al", 0);  
4  }

Vulnerable code example 2

In this example, Klocwork reports the SV.USAGERULES.PROCESS_VARIANTS error on line 13. System function call commands are executed by the host environment shell without any checks, providing exposure to local privilege escalation.

1   #include <stdio.h>
2   #include <sys/types.h>
3   #include <sys/stat.h>
4     
5   int main(int argc, char *argv[]) {
6     int fd;
7    
8     if ((fd = open(argv[1], 0)) == -1) {
9       error("can't open %s", argv[1]);
10      return -1;
11    }
12    if (argc == 2) {/* execute command */
13      if (system("/bin/sh/", "sh", "-c", argv[1], (char*) 0)) { /* SV.USAGERULES.PROCESS_VARIANTS reported here */
14   
15          /* some code */
16        } else {
17          error("can't execute %s", argv[1]);
18        }
19    }
20  }

Fixed code example 2

In the fixed example, the system function has once again been replaced by execve, which controls process execution and eliminates the possibility of privilege escalation.

1   #include <stdio.h>
2   #include <sys/types.h>
3   #include <sys/stat.h>
4    
5   int main(int argc, char *argv[]) {
6     int fd;
7     
8     if ((fd = open(argv[1], 0)) == -1) {
9       error("can't open %s", argv[1]);
10      return -1;
11    }
12    if (argc == 2) {/* execute command */
13      if (execve ("/bin/sh/", "sh", "-c", argv[1], (char*) 0)) { * / SV.USAGERULES.PROCESS_VARIANTS not reported */
14   
15          /* some code */
16        } else {
17          error("can't execute %s", argv[1]);
18        }
19    }
20  }

Security training

Application security training materials provided by Secure Code Warrior.