CVE-2014-2096 in Catfish
Summary
by MITRE
Untrusted search path vulnerability in Catfish 0.6.0 through 1.0.0 allows local users to gain privileges via a Trojan horse bin/catfish.py under the current working directory.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/12/2025
The vulnerability identified as CVE-2014-2096 represents a critical untrusted search path issue affecting Catfish file search utility versions 0.6.0 through 1.0.0. This flaw resides in the application's handling of executable paths during runtime operations, creating a privilege escalation vector that can be exploited by local attackers. The vulnerability specifically manifests when the application searches for executable files in the current working directory without proper validation of the search path integrity. This behavior directly aligns with CWE-427, which describes uncontrolled search path dependencies where applications fail to properly validate the paths they use to locate executables. The flaw enables attackers to place malicious files in directories that are searched before system directories, effectively allowing them to execute arbitrary code with elevated privileges.
The technical implementation of this vulnerability stems from the application's failure to sanitize or validate the execution environment before launching subprocesses. When Catfish executes the catfish.py script, it does not properly resolve the absolute path of the executable, instead relying on the system's PATH environment variable or current working directory. This creates a race condition and path traversal opportunity where a malicious actor can place a crafted Trojan horse file named catfish.py in the current working directory. The application's code execution flow does not distinguish between legitimate system binaries and attacker-controlled files, leading to the execution of unauthorized code. This vulnerability is particularly dangerous because it operates at the privilege level of the running process, potentially allowing attackers to escalate from regular user privileges to root access depending on how Catfish is executed. The ATT&CK framework categorizes this as privilege escalation through malicious file replacement, specifically under technique T1059.001 for command and scripting interpreter.
The operational impact of this vulnerability extends beyond simple code execution to encompass complete system compromise when the application runs with elevated privileges. Local users who can write to directories where Catfish executes can leverage this flaw to inject malicious code that persists across system sessions. The vulnerability affects not only the immediate execution environment but also the broader system security posture by potentially enabling lateral movement within compromised systems. Attackers can use this vulnerability to establish persistent backdoors, escalate privileges to administrative accounts, or exfiltrate sensitive data. The exploitation requires minimal privileges and can be automated, making it particularly dangerous in environments where users have the ability to execute applications or modify working directories. System administrators should note that this vulnerability affects the application's runtime behavior rather than its installation or configuration, meaning that patching requires updating the application itself rather than modifying system settings. The vulnerability demonstrates the critical importance of secure coding practices and proper path resolution techniques in preventing unauthorized code execution scenarios. Organizations should implement immediate mitigations including updating to patched versions of Catfish, restricting write permissions on directories where the application executes, and monitoring for unauthorized file modifications in system directories.