...
The following compliant solution inserts the "--" argument before the call to getenv("USER") in the call to execlsexecl():
| Code Block | ||
|---|---|---|
| ||
(void) execl(LOGIN_PROGRAM, "login",
"-p",
"-d", slavename,
"-h", host,
"-s", pam_svc_name, "--",
(AuthenticatingUser != NULL ? AuthenticatingUser :
getenv("USER")), 0);
|
Because the login program uses the POSIX getopt() function to parse command-line arguments, and because the "--" (double dash) option causes getopt() to stop interpreting options in the argument list, the USER variable cannot be used by an attacker to inject an additional command-line option. This is a valid means of sanitizing the untrusted user data in this context because the behavior of the interpretation of the resulting string is rendered innocuous.
The call to execl() is not susceptible to command injection because the a command interpreter is not invoked (see ENV04-A. Do not call system() if you do not need a command processor).
The diff for this vulnerability is available from the CVS repository at OpenSolaris.
...