Merge pull request #319 from raulgarciamsft/users/raulga/c6277

C++ : NULL application name with an unquoted path in call to CreateProcess
2026-04-28 18:25:24 +02:00 · 2018-10-17 17:36:59 +01:00
parent 749206a9ce 7ab723ae79
commit 6e10f39612
8 changed files with 635 additions and 0 deletions
--- a/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.cpp
+++ b/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.cpp
@@ -0,0 +1,11 @@
+STARTUPINFOW si;
+PROCESS_INFORMATION pi;
+
+// ... 
+
+CreateProcessW(                           // BUG
+    NULL,                                 // lpApplicationName
+    (LPWSTR)L"C:\\Program Files\\MyApp",  // lpCommandLine
+    NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
+
+// ...
--- a/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.qhelp
@@ -0,0 +1,46 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+  <p>This query indicates that there is a call to a function of the <code>CreateProcess*</code> family of functions, which introduces a security vulnerability.</p>
+</overview>
+
+<recommendation>
+<p>Do not use <code>NULL</code> for the <code>lpApplicationName</code> argument to the <code>CreateProcess*</code> function.</p>
+<p>If you pass <code>NULL</code> for <code>lpApplicationName</code>, use quotation marks around the executable path in <code>lpCommandLine</code>.</p>
+</recommendation>
+
+<example>
+<p>In the following example, <code>CreateProcessW</code> is called with a <code>NULL</code> value for <code>lpApplicationName</code>, 
+and the value for <code>lpCommandLine</code> that represent the application path is not quoted and has spaces in it.</p>
+<p>If an attacker has access to the file system, they can elevate privileges by creating a file such as <code>C:\Program.exe</code> that will be executed instead of the intended application.</p>
+<sample src="UnsafeCreateProcessCall.cpp" />
+
+<p>To fix this issue, specify a valid string for <code>lpApplicationName</code>, or quote the path for <code>lpCommandLine</code>. For example:</p>
+<p><code>(LPWSTR)L"\"C:\\Program Files\\MyApp\"",  // lpCommandLine</code></p>
+</example>
+
+<references>
+  <li>
+    <a href="https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createprocessa">CreateProcessA function (Microsoft documentation).</a>
+  </li>
+  <li>
+    <a href="https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createprocessw">CreateProcessW function (Microsoft documentation).</a>
+  </li>
+  <li>
+    <a href="https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createprocessasusera">CreateProcessAsUserA function (Microsoft documentation).</a>
+  </li>
+  <li>
+    <a href="https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createprocessasuserw">CreateProcessAsUserW function (Microsoft documentation).</a>
+  </li>
+  <li>
+    <a href="https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-createprocesswithlogonw">CreateProcessWithLogonW function (Microsoft documentation).</a>
+  </li>
+  <li>
+    <a href="https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-createprocesswithtokenw">CreateProcessWithTokenW function (Microsoft documentation).</a>
+  </li>
+</references>
+
+</qhelp>
--- a/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
+++ b/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
@@ -0,0 +1,130 @@
+/**
+ * @name NULL application name with an unquoted path in call to CreateProcess
+ * @description Calling a function of the CreateProcess* family of functions, where the path contains spaces, introduces a security vulnerability.
+ * @id cpp/unsafe-create-process-call
+ * @kind problem
+ * @problem.severity error
+ * @precision medium
+ * @msrc.severity important
+ * @tags security
+ *       external/cwe/cwe-428
+ *       external/microsoft/C6277
+ */
+ 
+import cpp
+import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.DataFlow2
+
+predicate isCreateProcessFunction(FunctionCall call, int applicationNameIndex, int commandLineIndex) {
+  ( 
+    call.getTarget().hasGlobalName("CreateProcessA") 
+    and applicationNameIndex = 0 
+    and commandLineIndex = 1
+  ) or ( 
+    call.getTarget().hasGlobalName("CreateProcessW") 
+    and applicationNameIndex = 0
+    and commandLineIndex = 1
+  ) or ( 
+    call.getTarget().hasGlobalName("CreateProcessWithTokenW") 
+    and applicationNameIndex = 2
+    and commandLineIndex = 3
+  ) or ( 
+    call.getTarget().hasGlobalName("CreateProcessWithLogonW") 
+    and applicationNameIndex = 4
+    and commandLineIndex = 5
+  ) or ( 
+    call.getTarget().hasGlobalName("CreateProcessAsUserA") 
+    and applicationNameIndex = 1
+    and commandLineIndex = 2
+  ) or ( 
+    call.getTarget().hasGlobalName("CreateProcessAsUserW") 
+    and applicationNameIndex = 1
+    and commandLineIndex = 2
+  ) 
+}
+/**
+ * A function call to CreateProcess (either wide-char or single byte string versions)
+ */
+class CreateProcessFunctionCall extends FunctionCall {
+  CreateProcessFunctionCall() {
+    isCreateProcessFunction( this, _, _)
+  }
+  
+  int getApplicationNameArgumentId() {
+    isCreateProcessFunction( this, result, _)
+  }
+  
+  int getCommandLineArgumentId() {
+    isCreateProcessFunction( this, _, result)
+  }
+}
+ 
+/**
+ * Dataflow that detects a call to CreateProcess with a NULL value for lpApplicationName argument
+ */
+class NullAppNameCreateProcessFunctionConfiguration extends DataFlow::Configuration {
+  NullAppNameCreateProcessFunctionConfiguration() {
+    this = "NullAppNameCreateProcessFunctionConfiguration"
+  }
+
+  override predicate isSource(DataFlow::Node source) {
+    nullValue(source.asExpr()) 
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists( 
+      CreateProcessFunctionCall call, Expr val |
+      val = sink.asExpr() |
+      val = call.getArgument(call.getApplicationNameArgumentId()) 
+    )
+  }
+}
+
+/**
+ * Dataflow that detects a call to CreateProcess with an unquoted commandLine argument
+ */
+class QuotedCommandInCreateProcessFunctionConfiguration extends DataFlow2::Configuration {
+  QuotedCommandInCreateProcessFunctionConfiguration() {
+    this = "QuotedCommandInCreateProcessFunctionConfiguration"
+  }
+
+  override predicate isSource(DataFlow2::Node source) {
+    exists( string s |
+      s = source.asExpr().getValue().toString()
+      and
+      not isQuotedOrNoSpaceApplicationNameOnCmd(s) 
+    ) 
+  }
+ 
+  override predicate isSink(DataFlow2::Node sink) {
+    exists( 
+      CreateProcessFunctionCall call, Expr val |
+      val = sink.asExpr() |
+      val = call.getArgument(call.getCommandLineArgumentId()) 
+    )
+  }
+}
+
+bindingset[s]
+predicate isQuotedOrNoSpaceApplicationNameOnCmd(string s){
+    s.regexpMatch("\"([^\"])*\"(\\s|.)*") // The first element (path) is quoted
+    or
+    s.regexpMatch("[^\\s]+") // There are no spaces in the string
+}
+
+from CreateProcessFunctionCall call, string msg1, string msg2
+where
+  exists( Expr source, Expr appName,
+    NullAppNameCreateProcessFunctionConfiguration nullAppConfig |
+    appName = call.getArgument(call.getApplicationNameArgumentId())
+    and nullAppConfig.hasFlow(DataFlow2::exprNode(source), DataFlow2::exprNode(appName))
+    and msg1 = call.toString() + " with lpApplicationName == NULL (" + appName + ")"
+  )
+  and
+  exists( Expr source, Expr cmd,
+    QuotedCommandInCreateProcessFunctionConfiguration quotedConfig |
+    cmd = call.getArgument(call.getCommandLineArgumentId())
+    and quotedConfig.hasFlow(DataFlow2::exprNode(source), DataFlow2::exprNode(cmd))
+    and msg2 = " and with an unquoted lpCommandLine (" + cmd + ") introduces a security vulnerability if the path contains spaces."
+  )
+select call, msg1 + " " + msg2