Potential DLL-preload SearchPath vector
When an application loads an external library, it's important for the code to use a fully qualified path. If an insufficiently qualified path is specified, a malicious attacker can gain control of the search path and use it as a vector for remotely executing arbitrary code. Some APIs, such as SearchPath, also provide a vector for malicious attack because they try to load libraries from unexpected source directories. These types of threats are known as binary planting or DLL-preloading attacks.
The DLLPRELOAD.SEARCHPATH checker flags code instances in which the SearchPath API is used in system file-manipulation function calls to .dll files.
Fore more information on DLL-preloading attacks, see Microsoft's Security Advisory 2269637.
Vulnerability and risk
An attacker can use relative pathnames to read, modify, or overwrite critical files, bypassing security mechanisms. For example, a malicious user can add a new account at the end of a password file to avoid authentication, or read the password file to break into an account on the system. In a worst-case scenario, users can be locked out of the system, software can be prevented from operating, or unauthorized commands or code can be executed.
The search order used by SearchPath (and other similar APIs) is intended for documents rather than application libraries, so applications that use this API may end up inadvertently loading libraries from directories that are controlled by an attacker. Typically, applications using SearchPath try to load libraries first from the current working directory, which can contain specially crafted libraries of arbitrary code.
Mitigation and prevention
To avoid relative path problems:
- Don't use SearchPath unless safe process search mode is enabled
- Make sure that external libraries are loaded securely, using fully qualified pathnames whenever possible
- Include built-in path canonicalization functions such as realpath() or canonicalize_file_name() in the code
- Store library, include, and utility files in separate directories where they can't be easily accessed
- Make sure error messages don't disclose path information
For more suggestions for mitigation and prevention of DLL-preloading attacks, see Microsoft's Dynamic-Link Library Security article.
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-23: Relative Path Traversal]
- CWE-73: External Control of File Name or Path
- CWE-114: Process Control
- FIO02-C:Canonicalize path names originating from untrusted sources
- STIG-ID:APP3600 Canonical Representation
- Microsoft's Security Advisory 2269637
- Microsoft's Dynamic-Link Library Security article