...
The following compliant solution inserts the "--" argument before the call to getenv("USER") in the call to execls():
| Code Block | ||
|---|---|---|
| ||
(void) execl(LOGIN_PROGRAM, "login",
"-p",
"-d", slavename,
"-h", host,
"-s", pam_svc_name, "--",
(AuthenticatingUser != NULL ? AuthenticatingUser :
getenv("USER")), 0);
|
Because the login program uses the POSIX getopt() function to parse command line arguments and because the "--" (double dash) option causes getopt() to stop interpreting options in the argument list, the USER variable cannot be used by an attacker to inject an additional command line option. This is a valid means of sanitizing the untrusted user data in this context because the behavior of the interpretation of the resulting string is rendered innocuous.
The diff for this vulnerability is available on OpenSolaris.
Risk Assessment
Failure to sanitize data passed to a complex subsystem can lead to an injection attack, data integrity issues, and a loss of sensitive data.
...