Unquoted Path Vulnerability Rule

Description :
Privilege escalation is an issue that should be accessed. The unquoted path vulnerability (CWE-428) doesn’t seem to be a rule implemented into SonarQube and it is still a relevant problem on Windows 10 machines.

This vulnerability can come up when a subprocess is started. The attacker can place a malicious executable in the path to the subprocess and will run with the same privileges as the calling process.

For example:
A program needs to start the executable C:\Program Files\Foo\Bar.exe. An attacker could place an executable called Program.exe at the C:\Program.exe location. Program.exe will run instead of Bar.exe because of how Windows filesystem works with path spaces. The attacker will then gain privilege escalation depending on the privileges of the main process. In order to prevent C:\Program.exe from running, quotes should be added to the path, “C:\Program Files\Foo\Bar.exe” or C:“Program Files”\Foo\Bar.exe.

The rule could be useful because it is only a simple fix for a big problem. Adding quotes to path does not seem like a huge amount of effort, but could save millions of dollars in case of a security breach.

Snipped of Non Compliant code:
In C (taken directly from CWE-428):

UINT errCode = WinExec( “C:\Program Files\Foo\Bar”, SW_SHOW );

In Python:

import os
os.system(“C:\Program Files\Foo\Bar.exe”)

Snipped of Compliant code:
In Python:

import os
os.system("“C:\Program Files\Foo\Bar.exe”")

Every other path that doesn’t start an executable. For example, loading an image. If the folders in the path does not contain spaces, CWE-428 doesn’t apply.

Examples of real open source projects that have been impacted by this issue and fixed it (eg: link to the commit fix / CVEs for security rules / etc)
As stated before, there is a whole post on this CWE (CWE-428).
Examples and references of CVEs are also stated in CWE-428.

Documentation/Blog post explaining the issue and what should be done instead
As stated in the name of the vulnerability, path to executables should be quoted. For example, you can quote the whole path or quote each individual folders containing spaces.

Blog post of how to use and fix this exploitation : https://isc.sans.edu/forums/diary/Help+eliminate+unquoted+path+vulnerabilities/14464/


SonarQube, Rules