Possible executable path hijacking (CreateProcessAsUser/CreateProcessWithLogon)
Description
Due to how `CreateProcess` parses spaces, an attacker may be able to exploit this function by creating a binary with the same name that is loaded first, depending on the search path order. Ensure that quotation marks around the executable path are used.
Examples
Insecure Code
c
CreateProcessAsUser(hToken, NULL, "C:\Program Files\MyApp.exe",...)Secure Code
c
CreateProcessAsUser(hToken, NULL, "\"C:\\Program Files\\MyApp.exe\"",...)Remediation
Use quotation marks around the executable path, such as: `CreateProcessAsUser(hToken, NULL, ""C:\Program Files\MyApp.exe"",...)`
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0613 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-78 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | executable path hijacking, CreateProcessAsUser, CreateProcessWithLogon |
| OWASP | A1:2017-Injection, A03:2021-Injection |