NULL application name with an unquoted path in call to CreateProcess¶
ID: cpp/unsafe-create-process-callKind: problemSecurity severity: 7.8Severity: errorPrecision: mediumTags: - security - external/cwe/cwe-428Query suites: - cpp-security-extended.qls - cpp-security-and-quality.qls
Click to see the query in the CodeQL repository
This query indicates that there is a call to a function of theCreateProcess* family of functions, which introduces a security vulnerability.
Recommendation¶
Do not useNULL for thelpApplicationName argument to theCreateProcess* function.
If you passNULL forlpApplicationName, use quotation marks around the executable path inlpCommandLine.
Example¶
In the following example,CreateProcessW is called with aNULL value forlpApplicationName, and the value forlpCommandLine that represent the application path is not quoted and has spaces in it.
If an attacker has access to the file system, they can elevate privileges by creating a file such asC:\Program.exe that will be executed instead of the intended application.
STARTUPINFOWsi;PROCESS_INFORMATIONpi;// ...CreateProcessW(// BUGNULL,// lpApplicationName(LPWSTR)L"C:\\Program Files\\MyApp",// lpCommandLineNULL,NULL,FALSE,0,NULL,NULL,&si,&pi);// ...
To fix this issue, specify a valid string forlpApplicationName, or quote the path forlpCommandLine. For example:
(LPWSTR)L"\"C:\\ProgramFiles\\MyApp\"",//lpCommandLine
References¶
Common Weakness Enumeration:CWE-428.