Skip to content

CWE-427: Uncontrolled Search Path Element

Overview

Uncontrolled Search Path occurs when an application sets or modifies the search path (e.g., PATH environment variable) in an unsafe way, allowing attackers to influence which resources are loaded or executed.

OWASP Classification

A08:2025 - Software or Data Integrity Failures

Risk

High: Attackers can place malicious executables or libraries in directories that are searched first, leading to arbitrary code execution or privilege escalation.

Remediation Steps

Core principle: Control execution/library search paths; never let attackers influence PATH or loader search behavior.

Locate the uncontrolled search path element

  • Review the flaw details to identify where search path is modified unsafely
  • Check for PATH modifications: os.environ['PATH'] +=, setenv("PATH"), System.setProperty("java.library.path")
  • Identify source of path element: user input, configuration file, external data
  • Determine risk: can attacker inject malicious directory into search path

Set search paths explicitly (Primary Defense)

  • Use absolute paths for all critical resources: Don't depend on search path at all
  • Avoid modifying global search paths: Don't append to PATH, LD_LIBRARY_PATH, PYTHONPATH unless absolutely necessary
  • Set PATH to known-good value: os.environ['PATH'] = '/usr/local/bin:/usr/bin:/bin' (overwrite, don't append)
  • Minimize PATH modification scope: If must modify, do it locally in subprocess not globally
  • Use environment isolation: Create clean environment for subprocess instead of inheriting

Restrict writable directories in search path

  • Ensure only trusted users can write to PATH directories: Verify permissions are 755 or more restrictive
  • Remove untrusted directories: Remove ., ./, /tmp, user home directories from search path
  • Order matters: Place trusted directories first in PATH (system dirs before user dirs)
  • Avoid world-writable directories: Never include /tmp, /var/tmp in search path

Validate and sanitize path modifications

  • Carefully validate changes to PATH: If user input must influence PATH, use strict allowlist validation
  • Avoid including user-controlled input: Never directly append user input to PATH variable
  • Validate directory existence: Verify directory exists and has correct permissions before adding to path
  • Use path canonicalization: Resolve symlinks and relative paths before validation

Monitor and audit path usage

  • Log all changes to search paths (PATH, LD_LIBRARY_PATH, environment variable modifications)
  • Log resource loading to detect search path exploitation
  • Alert on unexpected or suspicious path modifications (addition of unusual directories)
  • Track which executables are run from which directories
  • Monitor for privilege escalation via path manipulation

Test the search path control fix thoroughly

  • Test with user input attempting to modify PATH
  • Test placing malicious executable in various directories
  • Verify application uses only trusted search path
  • Test path modification with symbolic links
  • Test on different operating systems (search path behavior varies)
  • Re-scan with security scanner to confirm the issue is resolved

Common Vulnerable Patterns

  • Appending untrusted directories to PATH
  • Using relative paths for critical resources

User-Controlled PATH Element (Python)

# Appends user input to PATH
import os
os.environ['PATH'] += os.pathsep + user_input

Why this is vulnerable: Appending user-controlled input to the PATH environment variable allows attackers to inject malicious directory paths that are searched before legitimate system directories, enabling them to place trojan executables or libraries that execute with application privileges, leading to arbitrary code execution and privilege escalation.

Secure Patterns

Fixed Trusted PATH (Python)

# Uses only trusted directories
import os
os.environ['PATH'] = '/usr/local/bin:/usr/bin:/bin'
# Use absolute paths for critical executables
import subprocess
subprocess.run(['/usr/bin/python3', 'script.py'])

Why this works:

  • Sets PATH to only known, trusted system directories, preventing DLL hijacking or binary substitution
  • Blocks attackers from injecting malicious executables ahead of legitimate ones in search order
  • Uses absolute paths for critical executables, eliminating PATH search entirely
  • Prevents attackers from placing trojan binaries in user-writable directories on the PATH
  • Protects against privilege escalation through executable path manipulation

Additional Resources