Merge pull request #319 from raulgarciamsft/users/raulga/c6277

C++ : NULL application name with an unquoted path in call to CreateProcess

Author: geoffw0

cpp/config/suites/security/cwe-428

@@ -0,0 +1,3 @@
+# CWE-428: Unquoted Search Path or Element
++ semmlecode-cpp-queries/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql: /CWE/CWE-428
+    @name NULL application name with an unquoted path in call to CreateProcess (CWE-428)

cpp/config/suites/security/default

@@ -19,6 +19,7 @@
 @import "cwe-327"
 @import "cwe-367"
 @import "cwe-416"
+@import "cwe-428"
 @import "cwe-457"
 @import "cwe-468"
 @import "cwe-676"

cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.cpp

@@ -0,0 +1,11 @@
+STARTUPINFOW si;
+PROCESS_INFORMATION pi;
+
+// ... 
+
+CreateProcessW(                           // BUG
+    NULL,                                 // lpApplicationName
+    (LPWSTR)L"C:\\Program Files\\MyApp",  // lpCommandLine
+    NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
+
+// ...

cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.qhelp

@@ -0,0 +1,46 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+  <p>This query indicates that there is a call to a function of the <code>CreateProcess*</code> family of functions, which introduces a security vulnerability.</p>
+</overview>
+
+<recommendation>
+<p>Do not use <code>NULL</code> for the <code>lpApplicationName</code> argument to the <code>CreateProcess*</code> function.</p>
+<p>If you pass <code>NULL</code> for <code>lpApplicationName</code>, use quotation marks around the executable path in <code>lpCommandLine</code>.</p>
+</recommendation>
+
+<example>
+<p>In the following example, <code>CreateProcessW</code> is called with a <code>NULL</code> value for <code>lpApplicationName</code>, 
+and the value for <code>lpCommandLine</code> that represent the application path is not quoted and has spaces in it.</p>
+<p>If an attacker has access to the file system, they can elevate privileges by creating a file such as <code>C:\Program.exe</code> that will be executed instead of the intended application.</p>
+<sample src="UnsafeCreateProcessCall.cpp" />
+
+<p>To fix this issue, specify a valid string for <code>lpApplicationName</code>, or quote the path for <code>lpCommandLine</code>. For example:</p>
+<p><code>(LPWSTR)L"\"C:\\Program Files\\MyApp\"",  // lpCommandLine</code></p>
+</example>
+
+<references>
+  <li>
+    <a href="https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createprocessa">CreateProcessA function (Microsoft documentation).</a>
+  </li>
+  <li>
+    <a href="https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createprocessw">CreateProcessW function (Microsoft documentation).</a>
+  </li>
+  <li>
+    <a href="https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createprocessasusera">CreateProcessAsUserA function (Microsoft documentation).</a>
+  </li>
+  <li>
+    <a href="https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createprocessasuserw">CreateProcessAsUserW function (Microsoft documentation).</a>
+  </li>
+  <li>
+    <a href="https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-createprocesswithlogonw">CreateProcessWithLogonW function (Microsoft documentation).</a>
+  </li>
+  <li>
+    <a href="https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-createprocesswithtokenw">CreateProcessWithTokenW function (Microsoft documentation).</a>
+  </li>
+</references>
+
+</qhelp>

cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql

@@ -0,0 +1,130 @@
+/**
+ * @name NULL application name with an unquoted path in call to CreateProcess
+ * @description Calling a function of the CreateProcess* family of functions, where the path contains spaces, introduces a security vulnerability.
+ * @id cpp/unsafe-create-process-call
+ * @kind problem
+ * @problem.severity error
+ * @precision medium
+ * @msrc.severity important
+ * @tags security
+ *       external/cwe/cwe-428
+ *       external/microsoft/C6277
+ */
+ 
+import cpp
+import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.DataFlow2
+
+predicate isCreateProcessFunction(FunctionCall call, int applicationNameIndex, int commandLineIndex) {
+  ( 
+    call.getTarget().hasGlobalName("CreateProcessA") 
+    and applicationNameIndex = 0 
+    and commandLineIndex = 1
+  ) or ( 
+    call.getTarget().hasGlobalName("CreateProcessW") 
+    and applicationNameIndex = 0
+    and commandLineIndex = 1
+  ) or ( 
+    call.getTarget().hasGlobalName("CreateProcessWithTokenW") 
+    and applicationNameIndex = 2
+    and commandLineIndex = 3
+  ) or ( 
+    call.getTarget().hasGlobalName("CreateProcessWithLogonW") 
+    and applicationNameIndex = 4
+    and commandLineIndex = 5
+  ) or ( 
+    call.getTarget().hasGlobalName("CreateProcessAsUserA") 
+    and applicationNameIndex = 1
+    and commandLineIndex = 2
+  ) or ( 
+    call.getTarget().hasGlobalName("CreateProcessAsUserW") 
+    and applicationNameIndex = 1
+    and commandLineIndex = 2
+  ) 
+}
+/**
+ * A function call to CreateProcess (either wide-char or single byte string versions)
+ */
+class CreateProcessFunctionCall extends FunctionCall {
+  CreateProcessFunctionCall() {
+    isCreateProcessFunction( this, _, _)
+  }
+  
+  int getApplicationNameArgumentId() {
+    isCreateProcessFunction( this, result, _)
+  }
+  
+  int getCommandLineArgumentId() {
+    isCreateProcessFunction( this, _, result)
+  }
+}
+ 
+/**
+ * Dataflow that detects a call to CreateProcess with a NULL value for lpApplicationName argument
+ */
+class NullAppNameCreateProcessFunctionConfiguration extends DataFlow::Configuration {
+  NullAppNameCreateProcessFunctionConfiguration() {
+    this = "NullAppNameCreateProcessFunctionConfiguration"
+  }
+
+  override predicate isSource(DataFlow::Node source) {
+    nullValue(source.asExpr()) 
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists( 
+      CreateProcessFunctionCall call, Expr val |
+      val = sink.asExpr() |
+      val = call.getArgument(call.getApplicationNameArgumentId()) 
+    )
+  }
+}
+
+/**
+ * Dataflow that detects a call to CreateProcess with an unquoted commandLine argument
+ */
+class QuotedCommandInCreateProcessFunctionConfiguration extends DataFlow2::Configuration {
+  QuotedCommandInCreateProcessFunctionConfiguration() {
+    this = "QuotedCommandInCreateProcessFunctionConfiguration"
+  }
+
+  override predicate isSource(DataFlow2::Node source) {
+    exists( string s |
+      s = source.asExpr().getValue().toString()
+      and
+      not isQuotedOrNoSpaceApplicationNameOnCmd(s) 
+    ) 
+  }
+ 
+  override predicate isSink(DataFlow2::Node sink) {
+    exists( 
+      CreateProcessFunctionCall call, Expr val |
+      val = sink.asExpr() |
+      val = call.getArgument(call.getCommandLineArgumentId()) 
+    )
+  }
+}
+
+bindingset[s]
+predicate isQuotedOrNoSpaceApplicationNameOnCmd(string s){
+    s.regexpMatch("\"([^\"])*\"(\\s|.)*") // The first element (path) is quoted
+    or
+    s.regexpMatch("[^\\s]+") // There are no spaces in the string
+}
+
+from CreateProcessFunctionCall call, string msg1, string msg2
+where
+  exists( Expr source, Expr appName,
+    NullAppNameCreateProcessFunctionConfiguration nullAppConfig |
+    appName = call.getArgument(call.getApplicationNameArgumentId())
+    and nullAppConfig.hasFlow(DataFlow2::exprNode(source), DataFlow2::exprNode(appName))
+    and msg1 = call.toString() + " with lpApplicationName == NULL (" + appName + ")"
+  )
+  and
+  exists( Expr source, Expr cmd,
+    QuotedCommandInCreateProcessFunctionConfiguration quotedConfig |
+    cmd = call.getArgument(call.getCommandLineArgumentId())
+    and quotedConfig.hasFlow(DataFlow2::exprNode(source), DataFlow2::exprNode(cmd))
+    and msg2 = " and with an unquoted lpCommandLine (" + cmd + ") introduces a security vulnerability if the path contains spaces."
+  )
+select call, msg1 + " " + msg2