Expand description

This module implements a check for CWE-426: Untrusted Search Path.

Basically, the program searches for critical resources on an untrusted search path that can be adjusted by an adversary. For example, see Nebula Level 1 (https://exploit-exercises.com/nebula/level01/).

According to the manual page of system() the following problems can arise: “Do not use system() from a program with set-user-ID or set-group-ID privileges, because strange values for some environment variables might be used to subvert system integrity. Use the exec(3) family of functions instead, but not execlp(3) or execvp(3). system() will not, in fact, work properly from programs with set-user-ID or set-group-ID privileges on systems on which /bin/sh is bash version 2, since bash 2 drops privileges on startup. (Debian uses a modified bash which does not do this when invoked as sh.)”

See https://cwe.mitre.org/data/definitions/426.html for a detailed description.

How the check works

We check whether a function that calls a privilege-changing function (configurable in config.json) also calls system().

False Positives

  • If the call to system() happens before the privilege-changing function, the call may not be used for privilege escalation

False Negatives

  • If the calls to the privilege-changing function and system() happen in different functions, the calls will not be flagged as a CWE-hit.
  • This check only finds potential privilege escalation bugs, but other types of bugs can also be triggered by untrusted search paths.

Structs

  • Function symbols read from config.json. The symbols are functions that change or drop privileges.

Statics

Functions

  • Run the CWE check. We check whether a function calls both system(..) and a privilege changing function. For each such function a CWE warning is generated.