CWE-426: Untrusted Search Path
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
常见后果
影响范围: Integrity Confidentiality Availability Access Control
技术影响: Gain Privileges or Assume Identity Execute Unauthorized Code or Commands
说明: There is the potential for arbitrary code execution with privileges of the vulnerable program.
影响范围: Availability
技术影响: DoS: Crash, Exit, or Restart
说明: The program could be redirected to the wrong files, potentially triggering a crash or hang when the targeted file is too large or does not have the expected format.
影响范围: Confidentiality
技术影响: Read Files or Directories
说明: The program could send the output of unauthorized files to the attacker.
潜在缓解措施
阶段: Architecture and Design Implementation
策略: Attack Surface Reduction
描述: Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
阶段: Implementation
描述: When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.
阶段: Implementation
描述: Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.
阶段: Implementation
描述: Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory.
阶段: Implementation
描述: Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.
检测方法
方法: Black Box
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
方法: Manual Analysis
Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.
观察示例
参考: CVE-1999-1120
Application relies on its PATH environment variable to find and execute program.
参考: CVE-2008-1810
Database application relies on its PATH environment variable to find and execute program.
参考: CVE-2007-2027
Chain: untrusted search path enabling resultant format string by loading malicious internationalization messages.
参考: CVE-2008-3485
Untrusted search path using malicious .EXE in Windows environment.
参考: CVE-2008-2613
setuid program allows compromise using path that finds and loads a malicious library.
参考: CVE-2008-1319
Server allows client to specify the search path, which can be modified to point to a program that the client has uploaded.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
操作系统
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Untrusted Search Path | - |
| CLASP | - | Relative path library search | - |
| CERT C Secure Coding | ENV03-C | Sanitize the environment when invoking external programs | - |