Unquoted Path Vulnerability Rule

leandre · June 4, 2021, 2:24pm

Description :
Privilege escalation is an issue that should be accessed. The unquoted path vulnerability (CWE-428) doesn’t seem to be a rule implemented into SonarQube and it is still a relevant problem on Windows 10 machines.

This vulnerability can come up when a subprocess is started. The attacker can place a malicious executable in the path to the subprocess and will run with the same privileges as the calling process.

For example:
A program needs to start the executable C:\Program Files\Foo\Bar.exe. An attacker could place an executable called Program.exe at the C:\Program.exe location. Program.exe will run instead of Bar.exe because of how Windows filesystem works with path spaces. The attacker will then gain privilege escalation depending on the privileges of the main process. In order to prevent C:\Program.exe from running, quotes should be added to the path, “C:\Program Files\Foo\Bar.exe” or C:"Program Files"\Foo\Bar.exe.

The rule could be useful because it is only a simple fix for a big problem. Adding quotes to path does not seem like a huge amount of effort, but could save millions of dollars in case of a security breach.

Snipped of Non Compliant code:
In C (taken directly from CWE-428):

UINT errCode = WinExec( “C:\Program Files\Foo\Bar”, SW_SHOW );

In Python:

import os
os.system(“C:\Program Files\Foo\Bar.exe”)

Snipped of Compliant code:
In Python:

import os
os.system(“"C:\Program Files\Foo\Bar.exe"”)

Exceptions
Every other path that doesn’t start an executable. For example, loading an image. If the folders in the path does not contain spaces, CWE-428 doesn’t apply.

Examples of real open source projects that have been impacted by this issue and fixed it (eg: link to the commit fix / CVEs for security rules / etc)
As stated before, there is a whole post on this CWE (CWE-428).
Examples and references of CVEs are also stated in CWE-428.

Documentation/Blog post explaining the issue and what should be done instead
As stated in the name of the vulnerability, path to executables should be quoted. For example, you can quote the whole path or quote each individual folders containing spaces.

Blog post of how to use and fix this exploitation : Help eliminate unquoted path vulnerabilities - SANS Internet Storm Center

Type
Vulnerability

Tags
SonarQube, Rules

Topic		Replies	Views
SonarQube Community Edition( 10.4.1.88267) is not able to detect privilege escalation rule Report False-positive / False-negative...	1	270	March 27, 2024
Code seems to be wrong in compliant solution SonarQube Cloud csharp , security , sonarqube-cloud	8	1498	January 28, 2022
5 Python security rules added on top of new analyzer foundations Sonar Updates python	0	848	September 18, 2019
Post Upgrade to LTS, there is a spike in Vulnerabilities Reported SonarQube Server / Community Build upgrade , dotnet , issues	7	776	April 24, 2023
Sonar rule for CWE-114: Process Control New rules / language support	2	917	July 26, 2022

Unquoted Path Vulnerability Rule

Related topics