• CodeQL query help documentation »
• CodeQL query help for C and C++ »

NULL application name with an unquoted path in call to CreateProcess

ID: cpp/unsafe-create-process-call Kind: problem Security severity: 7.8 Severity: error Precision: medium Tags: - security - external/cwe/cwe-428 Query suites: - cpp-security-extended.qls - cpp-security-and-quality.qls 

Click to see the query in the CodeQL repository

This query indicates that there is a call to a function of the CreateProcess* family of functions, which introduces a security vulnerability.

Recommendation

Do not use NULL for the lpApplicationName argument to the CreateProcess* function.

If you pass NULL for lpApplicationName, use quotation marks around the executable path in lpCommandLine.

Example

In the following example, CreateProcessW is called with a NULL value for lpApplicationName, and the value for lpCommandLine that represent the application path is not quoted and has spaces in it.

If an attacker has access to the file system, they can elevate privileges by creating a file such as C:\Program.exe that will be executed instead of the intended application.

STARTUPINFOWsi;PROCESS_INFORMATIONpi;// ... CreateProcessW(// BUGNULL,// lpApplicationName(LPWSTR)L"C:\\Program Files\\MyApp",// lpCommandLineNULL,NULL,FALSE,0,NULL,NULL,&si,&pi);// ...

To fix this issue, specify a valid string for lpApplicationName, or quote the path for lpCommandLine. For example:

(LPWSTR)L"\"C:\\ProgramFiles\\MyApp\"",//lpCommandLine

References

• CreateProcessA function (Microsoft documentation).

• CreateProcessW function (Microsoft documentation).

• CreateProcessAsUserA function (Microsoft documentation).

• CreateProcessAsUserW function (Microsoft documentation).

• CreateProcessWithLogonW function (Microsoft documentation).

• CreateProcessWithTokenW function (Microsoft documentation).

• Common Weakness Enumeration: CWE-428.

• © GitHub, Inc.
• Terms
• Privacy