go version)?
all Go versions affected
Does this issue reproduce with the latest release?yes
What operating system and processor architecture are you using (go env)?
Windows
What did you do?Copied c:\windows\system32\notepad.com into the current directory of a PoC
app as 'calc.exe' and executed the following Go program:
cmd := exec.Command("calc")
cmd.Run()
Calc executed from the trusted path: c:\windows\system32\calc.exe
as c:\windows\system32 is present in PATH.
Notepad (saved as calc.exe in the current directory) executed instead of the genuine
calculator from the trusted path c:\windows\system32.
This can allow attackers to plant malicious trojan horse software if go application is executed
in a directory where attackers can write to.
Example exploits that takes advantage of this issue to achieve arbitrary code execution in git-lfs, git and GitHub CLI (gh)
on Windows can be found on the websites:
If the LookPath function cannot be changed for compatibility reasons as discussed earlier in the relevant thread (#38736 (comment))
LookPathStrict function should be added which does not search the current directory.
This will allow developers to easily and securely find a trusted path without reinventing the wheel.
Developers will then be able to modify the path with:
cmd.path = LookPathStrict("calc")
before the exec.Command call.
--
Dawid Golunski
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4