Unquoted Search Path or Element

Description

This vulnerability occurs when a program uses a file path or command that contains spaces and is not enclosed in quotes. The operating system may misinterpret where the executable file is located, potentially allowing an attacker to run a malicious program with higher privileges.

Extended Description

When a path like `C:\Program Files\MyApp\app.exe` is called without quotes, the system interprets each space as a separator between arguments. It will first try to execute `C:\Program.exe`, then `C:\Program Files\MyApp\app.exe`. If an attacker can place a malicious file named `Program.exe` in the root directory (C:\), the system will run that file instead of the intended application. This is a classic privilege escalation path on Windows systems. If a high-privileged service or user runs a program with an unquoted path, an attacker with write access to a parent directory (like C:\) can plant a malicious executable with a name that matches an earlier segment of the path. The system's search order then executes the attacker's file with the same elevated permissions.

Common Consequences 1

Scope: ConfidentialityIntegrityAvailability

Impact: Execute Unauthorized Code or Commands

Potential Mitigations 3

Phase: Implementation

Properly quote the full search path before executing a program on the system.

Phase: Implementation

Strategy: Input Validation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

Phase: Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (Incorrect Behavior Order: Validate Before Canonicalize). Make sure that the application does not decode the same input twice (Double Decoding of the Same Data). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Demonstrative Examples 1

The following example demonstrates the weakness.

Code Example:Bad
C
c

Observed Examples 3

CVE-2005-1185Small handful of others. Program doesn't quote the "C:\Program Files\" path when calling a program to be executed - or any other path with a directory or file whose name contains a space - so attacker can put a malicious program.exe into C:.

CVE-2005-2938CreateProcess() and CreateProcessAsUser() can be misused by applications to allow "program.exe" style attacks in C:

CVE-2000-1128Applies to "Common Files" folder, with a malicious common.exe, instead of "Program Files"/program.exe.

References 1

The Art of Software Security Assessment

Mark Dowd, John McDonald, and Justin Schuh

Addison Wesley

2006

ID: REF-62

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Implementation

Functional Areas

Program Invocation

Related Weaknesses

ChildOf:

Exposure of Resource to Wrong Sphere (CWE-668)

ChildOf:

Exposure of Resource to Wrong Sphere (CWE-668)

Taxonomy Mapping

PLOVER

Notes

Applicable Platform This weakness could apply to any OS that supports spaces in filenames, especially any OS that make it easy for a user to insert spaces into filenames or folders, such as Windows. While spaces are technically supported in Unix, the practice is generally avoided. .

Maintenance This weakness primarily involves the lack of quoting, which is not explicitly stated as a part of Improper Encoding or Escaping of Output. Improper Encoding or Escaping of Output also describes output in light of structured messages, but the generation of a filename or search path (as in this weakness) might not be considered a structured message. An additional complication is the relationship to control spheres. Unlike untrusted search path (Untrusted Search Path), which inherently involves control over the definition of a control sphere, this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control. This is not a clean fit under Exposure of Resource to Wrong Sphere or Externally Controlled Reference to a Resource in Another Sphere, which suggests that the control sphere model needs enhancement or clarification.