CodeQL documentation

NULL application name with an unquoted path in call to CreateProcess

ID: cpp/unsafe-create-process-call
Kind: problem
Severity: error
Precision: medium
Tags:
   - security
   - external/cwe/cwe-428
   - external/microsoft/C6277
Query suites:
   - cpp-security-extended.qls
   - cpp-security-and-quality.qls

Click to see the query in the CodeQL repository

This query indicates that there is a call to a function of the CreateProcess* family of functions, which introduces a security vulnerability.

Recommendation

Do not use NULL for the lpApplicationName argument to the CreateProcess* function.

If you pass NULL for lpApplicationName, use quotation marks around the executable path in lpCommandLine.

Example

In the following example, CreateProcessW is called with a NULL value for lpApplicationName, and the value for lpCommandLine that represent the application path is not quoted and has spaces in it.

If an attacker has access to the file system, they can elevate privileges by creating a file such as C:\Program.exe that will be executed instead of the intended application.

STARTUPINFOW si;
PROCESS_INFORMATION pi;

// ... 

CreateProcessW(                           // BUG
    NULL,                                 // lpApplicationName
    (LPWSTR)L"C:\\Program Files\\MyApp",  // lpCommandLine
    NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);

// ...

To fix this issue, specify a valid string for lpApplicationName, or quote the path for lpCommandLine. For example:

(LPWSTR)L"\"C:\\Program Files\\MyApp\"", // lpCommandLine