Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proposal: os/exec: add LookPathAbs that refuses to return relative paths #42420

Closed
dawidgolunski opened this issue Nov 6, 2020 · 4 comments
Closed

Comments

@dawidgolunski
Copy link

What version of Go are you using (go version)?

all Go versions affected

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

Windows

What did you do?

Copied c:\windows\system32\notepad.com into the current directory of a PoC
app as 'calc.exe' and executed the following Go program:

cmd := exec.Command("calc")
cmd.Run()

What did you expect to see?

Calc executed from the trusted path: c:\windows\system32\calc.exe
as c:\windows\system32 is present in PATH.

What did you see instead?

Notepad (saved as calc.exe in the current directory) executed instead of the genuine
calculator from the trusted path c:\windows\system32.

This can allow attackers to plant malicious trojan horse software if go application is executed
in a directory where attackers can write to.

Example exploits that takes advantage of this issue to achieve arbitrary code execution in git-lfs, git and GitHub CLI (gh)
on Windows can be found on the websites:

Proposed solution

If the LookPath function cannot be changed for compatibility reasons as discussed earlier in the relevant thread (#38736 (comment))
LookPathStrict function should be added which does not search the current directory.

This will allow developers to easily and securely find a trusted path without reinventing the wheel.
Developers will then be able to modify the path with:

cmd.path = LookPathStrict("calc")

before the exec.Command call.

--
Dawid Golunski

@ianlancetaylor ianlancetaylor changed the title LookPath / exec - Insecure path (Proposal) proposa: os/exec: add LookPathStrict that does not look in current directory Nov 6, 2020
@ianlancetaylor ianlancetaylor changed the title proposa: os/exec: add LookPathStrict that does not look in current directory proposal: os/exec: add LookPathStrict that does not look in current directory Nov 6, 2020
@gopherbot gopherbot added this to the Proposal milestone Nov 6, 2020
@ianlancetaylor ianlancetaylor added this to Incoming in Proposals (old) Nov 7, 2020
@rsc rsc changed the title proposal: os/exec: add LookPathStrict that does not look in current directory proposal: os/exec: add LookPathAbs that refuses to return relative paths Dec 2, 2020
@rsc
Copy link
Contributor

rsc commented Dec 2, 2020

Instead of defining what Strict means and introducing something that is only different from LookPath on Windows, I suggest we add LookPathAbs, which is like LookPath but refuses to use any entries in $PATH that are relative paths. That is, it only uses the absolute paths. And of course on Windows where "." is implicitly in $PATH, it doesn't use that either.

In essence, LookPathAbs says look in the path to find an absolute answer.

@rsc
Copy link
Contributor

rsc commented Dec 2, 2020

We now have three active proposals related to dot in path lookup:

Please try to keep comments on these limited to the specific issue they track. Thanks.

@rsc
Copy link
Contributor

rsc commented Jan 20, 2021

Retracting in favor of #43724.

@rsc rsc closed this as completed Jan 20, 2021
@rsc rsc moved this from Active to Declined in Proposals (old) Jan 20, 2021
@rsc
Copy link
Contributor

rsc commented Jan 20, 2021

No change in consensus, so declined.
— rsc for the proposal review group

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
No open projects
Development

No branches or pull requests

3 participants