Checkers:SV.USAGERULES.PROCESS_VARIANTS
From current
Exposure to privilege escalation in process
Some process-creation system calls provide exposure to local privilege escalation. These calls are prone to attacks that allow execution of malicious code with the privileges of the host process. The SV.USAGERULES.PROCESS_VARIANTS checker flags the following system calls:
- CreateProcess
- CreateProcessAsUser
- CreateProcessWithLogon
- ShellExecute
- ShellExecuteEx
- WinExec
- system
- _wsystem
- _*exec*
- _*spawn*
Vulnerability and risk
If a process-creation system call doesn't contain the full path of the .exe executable properly before calling the process-creation API, it creates an opportunity for attack. A search path vulnerability can allow local users to gain privileges using a malicious .exe file.
Mitigation and prevention
To prevent exposure, use fork (not vfork), execve, and pipes to control process execution completely.
Code examples
Vulnerable code example
1 #include <unistd.h> 2 void foo() { 3 execlp("li", "li", "-al", 0); 4 }
Klocwork flags the use of function execlp in line 3. This system call provides possible exposure to local privilege escalation through a malicious .exe file.
Fixed code example
1 #include <unistd.h> 2 void foo() { 3 execve("li", "li", "-al", 0); 4 }
In the fixed code, function execlp has been replaced by execve, which controls process execution, eliminating the possibility of privilege escalation.