Loading libraries without specifying an absolute path can cause the program to load malicious libraries supplied by an attacker.
Process control vulnerabilities take two forms:
- An attacker can change the name of the library that the program loads: the attacker explicitly controls what the name of the library is.
- An attacker can change the environment in which the library is loaded: the attacker implicitly controls what the library name means.
In this case we are primarily concerned with the second scenario, the possibility that an attacker may be able to control the environment in such a way that the program loads a malicious version of the named library.
1. An attacker provides a malicious library to an application.
2. The application loads the malicious library because it fails to specify an absolute path or verify the file being loaded.
3. By executing code from the library, the application gives the attacker a privilege or capability that the attacker would not otherwise have.
Example: The following code uses System.loadLibrary()
to load code from a native library named library.dll
, which is normally found in a standard system directory.
...
System.loadLibrary("library.dll");
...
System.loadLibrary()
accepts a library name, not a path, for the library to be loaded. From the Java 1.4.2 API documentation this function behaves as follows [1]:library.dll
higher in the search order than file the application intends to load, then the application will load the malicious copy instead of the intended file. Because of the nature of the application, it runs with elevated privileges, which means the contents of the attacker's library.dll
will now be run with elevated privileges, possibly giving the attacker complete control of the system. [1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A1 Unvalidated Input
[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A4 Insecure Direct Object Reference
[3] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A4 Insecure Direct Object References
[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3510 CAT I, APP3570 CAT I
[5] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 114
[6] Java 1.4.2 API Documentation Sun Microsystems
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.1, Requirement 6.5.4
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.1
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8
[10] Standards Mapping - FIPS200 - (FISMA) SI