Calling CreateProcess Securely

Calling CreateProcess Securely

This section describes how to avoid common mistakes when calling the CreateProcess, CreateProcessAsUser, CreateProcessWithLogonW, ShellExecute, and WinExec functions, mistakes that could result in security vulnerabilities. For brevity, I'll use CreateProcess in an example to stand for all these functions.

Depending on the syntax of some parameters passed to these functions, the functions could be incorrectly parsed, potentially leading to different executables being called than the executables intended by the developer. The most dangerous scenario is a Trojan application being invoked, rather than the intended program.

CreateProcess creates a new process determined by two parameters, lp ApplicationName and lpCommandLine. The first parameter, lpApplicationName, is the executable your application wants to run, and the second parameter is a pointer to a string that specifies the arguments to pass to the executable. The Platform SDK indicates that the lpApplicationName parameter can be NULL, in which case the executable name must be the first white space delimited string in lpCommandLine. However, if the executable or pathname has a space in it, a malicious executable might be run if the spaces are not properly handled.

Consider the following example:

CreateProcess(NULL,  "C:\\Program Files\\MyDir\\MyApp.exe -p -a", ...);

Note the space between Program and Files. When you use this version of CreateProcess when the first argument is NULL the function has to follow a series of steps to determine what you mean. If a file named C:\Program.exe exists, the function will call that and pass Files\MyDir\MyApp.exe -p -a as arguments.

The main vulnerability occurs in the case of a shared computer or Terminal Server if a user can create new files in the drive's root directory. In that instance, a malicious user can create a Trojan program called Program.exe and any program that incorrectly calls CreateProcess will now launch the Trojan program.

Another potential vulnerability exists. If the filename passed to CreateProcess does not contain the full directory path, the system could potentially run a different executable. For instance, consider two files named MyApp.exe on a server, with one file located in C:\Temp and the other in C:\winnt\system32. A developer writes some code intending to call MyApp.exe located in the system32 directory but passes only the program's filename to CreateProcess. If the application calling CreateProcess is launched from the C:\Temp directory, the wrong version of MyApp.exe is executed. Because the full path to the correct executable in system32 was not passed to CreateProcess, the system first checked the directory from which the code was loaded (C:\Temp), found a program matching the executable name, and ran that file. The Platform SDK outlines the search sequence used by CreateProcess when a directory path is not specified.

A few steps should be taken to ensure executable paths are parsed correctly when using CreateProcess, as discussed in the following sections.

Do Not Pass NULL for lpApplicationName

Passing NULL for lpApplicationName relies on the function parsing and determining the executable pathname separately from any additional command line parameters the executable should use. Instead, the actual full path and executable name should be passed in through lpApplicationName, and the additional run-time parameters should be passed in to lpCommandLine. The following example shows the preferred way of calling CreateProcess:

CreateProcess("C:\\Program Files\\MyDir\\MyApp.exe",  "MyApp.exe -p -a", ...);

Use Quotes Around the Path to Executable in lpCommandLine

If lpApplicationName is NULL and you're passing a filename that contains a space in its path, use quoted strings to indicate where the executable filename ends and the arguments begin, like so:

CreateProcess(NULL,  "\"C:\\Program Files\\MyDir\\MyApp.exe\" -p -a", ...);

Of course, if you know where the quotes go, you know the full path to the executable, so why not call CreateProcess correctly in the first place?



Writing Secure Code
Writing Secure Code, Second Edition
ISBN: 0735617228
EAN: 2147483647
Year: 2001
Pages: 286

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net