CWE-427 Detalhe

CWE-427

Uncontrolled Search Path Element
Draft
2006-07-19
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notificações para um CWE
Fique informado sobre quaisquer alterações para um CWE específico.
Gerenciar notificações

Nome: Uncontrolled Search Path Element

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

Informações Gerais

Modos de Introdução

Implementation

Plataformas Aplicáveis

Linguagem

Class: Not Language-Specific (Undetermined)

Sistemas Operacionais

Class: Not OS-Specific (Undetermined)

Tecnologias

Class: Not Technology-Specific (Undetermined)

Consequências Comuns

Escopo Impacto Probabilidade
Confidentiality
Integrity
Availability		Execute Unauthorized Code or Commands

Exemplos Observados

Referências Descrição

CVE-2023-25815

chain: a change in an underlying package causes the gettext function to use implicit initialization with a hard-coded path (CWE-1419) under the user-writable C:\ drive, introducing an untrusted search path element (CWE-427) that enables spoofing of messages.

CVE-2022-4826

Go-based git extension on Windows can search for and execute a malicious "..exe" in a repository because Go searches the current working directory if git.exe is not found in the PATH

CVE-2020-26284

A Static Site Generator built in Go, when running on Windows, searches the current working directory for a command, possibly allowing code execution using a malicious .exe or .bat file with the name being searched

CVE-2022-24765

Windows-based fork of git creates a ".git" folder in the C: drive, allowing local attackers to create a .git folder with a malicious config file

CVE-2019-1552

SSL package searches under "C:/usr/local" for configuration files and other critical data, but C:/usr/local might be world-writable.

CVE-2010-3402

"DLL hijacking" issue in document editor.

CVE-2010-3397

"DLL hijacking" issue in encryption software.

CVE-2010-3138

"DLL hijacking" issue in library used by multiple media players.

CVE-2010-3152

"DLL hijacking" issue in illustration program.

CVE-2010-3147

"DLL hijacking" issue in address book.

CVE-2010-3135

"DLL hijacking" issue in network monitoring software.

CVE-2010-3131

"DLL hijacking" issue in web browser.

CVE-2010-1795

"DLL hijacking" issue in music player/organizer.

CVE-2002-1576

Product uses the current working directory to find and execute a program, which allows local users to gain privileges by creating a symlink that points to a malicious version of the program.

CVE-1999-1461

Product trusts the PATH environmental variable to find and execute a program, which allows local users to obtain root access by modifying the PATH to point to a malicous version of that program.

CVE-1999-1318

Software uses a search path that includes the current working directory (.), which allows local users to gain privileges via malicious programs.

CVE-2003-0579

Admin software trusts the user-supplied -uv.install command line option to find and execute the uv.install program, which allows local users to gain privileges by providing a pathname that is under control of the user.

CVE-2000-0854

When a document is opened, the directory of that document is first used to locate DLLs , which could allow an attacker to execute arbitrary commands by inserting malicious DLLs into the same directory as the document.

CVE-2001-0943

Database trusts the PATH environment variable to find and execute programs, which allows local users to modify the PATH to point to malicious programs.

CVE-2001-0942

Database uses an environment variable to find and execute a program, which allows local users to execute arbitrary programs by changing the environment variable.

CVE-2001-0507

Server uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a malicious file.

CVE-2002-2017

Product allows local users to execute arbitrary code by setting an environment variable to reference a malicious program.

CVE-1999-0690

Product includes the current directory in root's PATH variable.

CVE-2001-0912

Error during packaging causes product to include a hard-coded, non-standard directory in search path.

CVE-2001-0289

Product searches current working directory for configuration file.

CVE-2005-1705

Product searches current working directory for configuration file.

CVE-2005-1307

Product executable other program from current working directory.

CVE-2002-2040

Untrusted path.

CVE-2005-2072

Modification of trusted environment variable leads to untrusted path vulnerability.

CVE-2005-1632

Product searches /tmp for modules before other paths.

Mitigações Potenciais

Phases : Architecture and Design // Implementation
Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
Phases : Implementation
When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.
Phases : Implementation
Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.
Phases : Implementation
Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory. Since this is a denylist approach, it might not be a complete solution.
Phases : Implementation
Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of finding the program using the PATH environment variable, while execl() and execv() require a full path.

Métodos de Detecção

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Eficácia : High

Notas de Mapeamento de Vulnerabilidade

Justificativa : This CWE entry is often confused with another closely-related entry about search paths.
Comentário : CWE-426 and CWE-427 are often misused because they both mention search paths, although CWE-426 is focused on attacker control of the search path itself, while CWE-427 applies when the attacker cannot modify the search path but can write to one of the locations specified in the search path. Also, this entry is classified in a part of CWE's hierarchy that does not have sufficiently low-level coverage, which might reflect a lack of classification-oriented weakness research in the software security community. Conduct careful root cause analysis to determine the original mistake that led to this weakness. If closer analysis reveals that this weakness is appropriate, then this might be the best available CWE to use for mapping. If no other option is available, then it is acceptable to map to this CWE.

Padrões de Ataque Relacionados

CAPEC-ID Nome do Padrão de Ataque
CAPEC-38 Leveraging/Manipulating Configuration File Search Paths
This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.
CAPEC-471 Search Order Hijacking
An adversary exploits a weakness in an application's specification of external libraries to exploit the functionality of the loader where the process loading the library searches first in the same directory in which the process binary resides and then in other directories. Exploitation of this preferential search order can allow an attacker to make the loading process load the adversary's rogue library rather than the legitimate library. This attack can be leveraged with many different libraries and with many different loading processes. No forensic trails are left in the system's registry or file system that an incorrect library had been loaded.

Notas

Unlike untrusted search path (CWE-426), which inherently involves control over the definition of a control sphere (i.e., modification of a search path), this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control (i.e., the search path cannot be modified by an attacker, but one element of the path can be under attacker control).
This weakness is not a clean fit under CWE-668 or CWE-610, which suggests that the control sphere model might need enhancement or clarification.

Referências

REF-409

Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases
Georgi Guninski.
https://seclists.org/bugtraq/2000/Sep/331

REF-410

ACROS Security: Remote Binary Planting in Apple iTunes for Windows (ASPR #2010-08-18-1)
Mitja Kolsek.
https://lists.openwall.net/bugtraq/2010/08/18/4

REF-411

Automatic Detection of Vulnerable Dynamic Component Loadings
Taeho Kwon, Zhendong Su.
https://dl.acm.org/doi/10.1145/1831708.1831722

REF-412

Dynamic-Link Library Search Order
https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDN

REF-413

Dynamic-Link Library Security
https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-security

REF-414

An update on the DLL-preloading remote attack vector
https://msrc.microsoft.com/blog/2010/08/an-update-on-the-dll-preloading-remote-attack-vector/

REF-415

Insecure Library Loading Could Allow Remote Code Execution
https://learn.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637#insecure-library-loading-could-allow-remote-code-execution

REF-416

Application DLL Load Hijacking
HD Moore.
https://www.rapid7.com/blog/?p=5325

REF-417

DLL Hijacking: Facts and Fiction
Oliver Lavery.
https://threatpost.com/dll-hijacking-facts-and-fiction-082610/74384/

REF-1168

Microsoft warns enterprises of new 'dependency confusion' attack technique
Catalin Cimpanu.
https://www.zdnet.com/article/microsoft-warns-enterprises-of-new-dependency-confusion-attack-technique/

REF-1169

Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
Alex Birsan.
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

REF-1170

3 Ways to Mitigate Risk When Using Private Package Feeds
Microsoft.
https://azure.microsoft.com/mediahandler/files/resourcefiles/3-ways-to-mitigate-risk-using-private-package-feeds/3%20Ways%20to%20Mitigate%20Risk%20When%20Using%20Private%20Package%20Feeds%20-%20v1.0.pdf

REF-1325

exec package - os/exec - Go Packages
https://pkg.go.dev/os/exec

REF-1326

Git LFS Changelog
Brian M. Carlson.
https://github.com/git-lfs/git-lfs/commit/032dca8ee69c193208cd050024c27e82e11aef81

Submissão

Nome Organização Data Data de lançamento Version
PLOVER 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modificações

Nome Organização Data Comentário
Eric Dalci Cigital 2008-07-01 +00:00 updated Potential_Mitigations, Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings
CWE Content Team MITRE 2009-07-27 +00:00 updated Description, Maintenance_Notes, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships
CWE Content Team MITRE 2010-09-27 +00:00 updated Alternate_Terms, Applicable_Platforms, Description, Maintenance_Notes, Observed_Examples, References, Relationship_Notes, Relationships
CWE Content Team MITRE 2011-03-29 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Observed_Examples, Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2014-02-18 +00:00 updated Demonstrative_Examples, Observed_Examples, Potential_Mitigations
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships
CWE Content Team MITRE 2015-12-07 +00:00 updated Relationships
CWE Content Team MITRE 2019-01-03 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2019-06-20 +00:00 updated Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2020-06-25 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2021-03-15 +00:00 updated Alternate_Terms, Description, Maintenance_Notes, References, Theoretical_Notes
CWE Content Team MITRE 2022-04-28 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2022-10-13 +00:00 updated Observed_Examples
CWE Content Team MITRE 2023-01-31 +00:00 updated Description, Observed_Examples, References
CWE Content Team MITRE 2023-04-27 +00:00 updated Demonstrative_Examples, Detection_Factors, References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2023-10-26 +00:00 updated Observed_Examples
CWE Content Team MITRE 2025-04-03 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-09-09 +00:00 updated Affected_Resources, Functional_Areas, References
CWE Content Team MITRE 2025-12-11 +00:00 updated Applicable_Platforms, Relationships, Weakness_Ordinalities
As informações apresentadas no CVE Find originam-se de várias fontes de referência cuidadosamente selecionadas. Os dados CVE são fornecidos pela MITRE Corporation e pelo National Vulnerability Database (NVD). O catálogo de Vulnerabilidades Conhecidas Exploradas (KEV) é proveniente da Cybersecurity and Infrastructure Security Agency (CISA), enquanto as pontuações EPSS vêm do FIRST.org. Além disso, os dados sobre fraquezas de software (CWE) e padrões de ataque comuns (CAPEC) são mantidos pela MITRE Corporation, e as informações sobre configurações de hardware e software (CPE) são fornecidas pelo NVD.