Description
What version of Go are you using (go version)?
all Go versions affected
Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (go env)?
Windows
What did you do?
Copied c:\windows\system32\notepad.com into the current directory of a PoC
app as 'calc.exe' and executed the following Go program:
cmd := exec.Command("calc")
cmd.Run()
What did you expect to see?
Calc executed from the trusted path: c:\windows\system32\calc.exe
as c:\windows\system32 is present in PATH.
What did you see instead?
Notepad (saved as calc.exe in the current directory) executed instead of the genuine
calculator from the trusted path c:\windows\system32.
This can allow attackers to plant malicious trojan horse software if go application is executed
in a directory where attackers can write to.
Example exploits that takes advantage of this issue to achieve arbitrary code execution in git-lfs, git and GitHub CLI (gh)
on Windows can be found on the websites:
Proposed solution
If the LookPath function cannot be changed for compatibility reasons as discussed earlier in the relevant thread (#38736 (comment))
LookPathStrict function should be added which does not search the current directory.
This will allow developers to easily and securely find a trusted path without reinventing the wheel.
Developers will then be able to modify the path with:
cmd.path = LookPathStrict("calc")
before the exec.Command call.
--
Dawid Golunski