proposal: os/exec: add LookPathAbs that refuses to return relative paths

[dawidgolunski]

What version of Go are you using (go version)?

all Go versions affected

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

Windows

What did you do?

Copied c:\windows\system32\notepad.com into the current directory of a PoC
app as 'calc.exe' and executed the following Go program:

cmd := exec.Command("calc")
cmd.Run()

What did you expect to see?

Calc executed from the trusted path: c:\windows\system32\calc.exe
as c:\windows\system32 is present in PATH.

What did you see instead?

Notepad (saved as calc.exe in the current directory) executed instead of the genuine
calculator from the trusted path c:\windows\system32.

This can allow attackers to plant malicious trojan horse software if go application is executed
in a directory where attackers can write to.

Example exploits that takes advantage of this issue to achieve arbitrary code execution in git-lfs, git and GitHub CLI (gh)
on Windows can be found on the websites:

• https://legalhackers.com
• https://exploitbox.io

Proposed solution

If the LookPath function cannot be changed for compatibility reasons as discussed earlier in the relevant thread (#38736 (comment))
LookPathStrict function should be added which does not search the current directory.

This will allow developers to easily and securely find a trusted path without reinventing the wheel.
Developers will then be able to modify the path with:

cmd.path = LookPathStrict("calc")

before the exec.Command call.

--
Dawid Golunski

• https://legalhackers.com
• https://exploitbox.io

[rsc]

Instead of defining what Strict means and introducing something that is only different from LookPath on Windows, I suggest we add LookPathAbs, which is like LookPath but refuses to use any entries in $PATH that are relative paths. That is, it only uses the absolute paths. And of course on Windows where "." is implicitly in $PATH, it doesn't use that either.

In essence, LookPathAbs says look in the path to find an absolute answer.

[rsc]

We now have three active proposals related to dot in path lookup:

• proposal: os/exec: make LookPath not look in dot implicitly on Windows #38736, which removes the implicit dot lookup from LookPath on Windows
• proposal: os/exec: add LookPathAbs that refuses to return relative paths #42420, to add LookPathAbs that doesn't return relative results.
• proposal: os/exec: use LookPathAbs by default  #42950, to make exec.Command use LookPathAbs by default (assuming it is added)

Please try to keep comments on these limited to the specific issue they track. Thanks.

[rsc]

Retracting in favor of #43724.

[rsc]

No change in consensus, so declined.
— rsc for the proposal review group