CWE-427: Uncontrolled Search Path Element
Learn about CWE-427 (Uncontrolled Search Path Element), its security impact, exploitation methods, and prevention guidelines.
What is Uncontrolled Search Path Element?
• Overview: Uncontrolled Search Path Element (CWE-427) occurs when a software application uses a search path to locate resources where parts of the path can be altered or controlled by unauthorized users, potentially leading to malicious resource execution.
• Exploitation Methods:
- Attackers can plant malicious files in directories that are part of the search path, leading the application to execute these files instead of legitimate ones.
- Common attack patterns include exploiting weak permissions on directories like the Windows drive root or using network shares such as SMB or WebDAV to introduce malicious resources.
• Security Impact:
- Direct consequences include execution of malicious code, unauthorized access, or privilege escalation.
- Potential cascading effects could involve system compromise, data breach, or denial of service.
- Business impact may include loss of reputation, financial damage, and legal liabilities.
• Prevention Guidelines:
- Specific code-level fixes include using fully qualified paths for resources and validating the integrity and origin of resources before execution.
- Security best practices involve setting strict permissions on directories, avoiding use of insecure directories like "/tmp", and ensuring the current working directory is not part of the search path.
- Recommended tools and frameworks include static analysis tools to detect unsafe path usage and using package management tools with verified repositories to avoid dependency confusion.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not Language-Specific
Affected Technologies: Not specified
Vulnerable Code Example
const express = require('express');
const app = express();
// Vulnerable: Adding a user-supplied path to the module search path
const userPath = process.env.USER_PATH; // USER_PATH is a user-controlled environment variable
require('module').globalPaths.push(userPath);
// Use a required module
const someModule = require('someModule');
Explanation:
- Vulnerability: The code adds a user-supplied path to the Node.js module search paths (
globalPaths). This could allow an attacker to introduce malicious modules that could be loaded instead of legitimate ones. An attacker could setUSER_PATHto a directory containing a malicious module namedsomeModule, which would be loaded in place of the intended module.
How to fix Uncontrolled Search Path Element?
To address the vulnerability, consider the following best practices:
- Avoid Modifying Module Paths: Do not alter module search paths based on user input.
- Use Explicit Paths: Load modules from specific, trusted directories instead of relying on global paths.
- Package Validation: Ensure that only trusted, verified packages are installed and used.
Fixed Code Example
const express = require('express');
const app = express();
const path = require('path');
// Fixed: Use explicit paths for loading modules
const trustedModulePath = path.join(__dirname, 'trusted_modules', 'someModule.js'); // Define a trusted directory and module path
// Use a required module from a secure path
const someModule = require(trustedModulePath);
Explanation:
- Explicit Paths: Instead of modifying the global module paths, the code uses an explicit path to load the module from a trusted directory. This ensures that only the intended module is loaded, preventing any malicious code from being executed.
- Controlled Environment: By specifying exact locations for modules, you eliminate the risk of executing or loading unintended and potentially malicious code. This approach ensures that the environment is controlled and predictable.