NULL application name with an unquoted path in call to CreateProcess¶
ID: cpp/unsafe-create-process-call Kind: problem Severity: error Precision: medium Tags: - security - external/cwe/cwe-428 Query suites: - cpp-security-extended.qls - cpp-security-and-quality.qls
This query indicates that there is a call to a function of the
CreateProcess* family of functions, which introduces a security vulnerability.
Do not use
NULL for the
lpApplicationName argument to the
If you pass
lpApplicationName, use quotation marks around the executable path in
In the following example,
CreateProcessW is called with a
NULL value for
lpApplicationName, and the value for
lpCommandLine that represent the application path is not quoted and has spaces in it.
If an attacker has access to the file system, they can elevate privileges by creating a file such as
C:\Program.exe that will be executed instead of the intended application.
STARTUPINFOW si; PROCESS_INFORMATION pi; // ... CreateProcessW( // BUG NULL, // lpApplicationName (LPWSTR)L"C:\\Program Files\\MyApp", // lpCommandLine NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi); // ...
To fix this issue, specify a valid string for
lpApplicationName, or quote the path for
lpCommandLine. For example:
(LPWSTR)L"\"C:\\Program Files\\MyApp\"", // lpCommandLine
Common Weakness Enumeration: CWE-428.