String data passed to complex subsystems may contain special characters that can trigger commands or actions, resulting in a software vulnerability. As a result it is necessary to sanitize all string data passed to complex subsystems includingso that the resulting string is innocuous in the context in which it will be interpreted.
Complex subsystems include, but are not limited to:
- command processor via a call to
system()or similar function - external programs
- relational databases
- third-party COTS components (e.g., an enterprise resource planning subsystem)
...
The benefit of white listing is that a programmer can be certain that a string contains only characters that are considered safe by the programmer. White listing is recommended over black listing, which traps all unacceptable characters, as the programmer only needs to ensure that acceptable characters are identified. As a result, the programmer can be less concerned about which characters an attacker may try in an attempt to bypass security checks.
Non-Compliant Code Example
This non-compliant code example is take from VU#881872, which a vulnerability in the Sun Solaris telnet daemon (in.telnetd) that allows a remote attacker to log on to the system with elevated privileges.
The vulnerability in in.telnetd involves the following line of code invokes the login program by calling execl(). This call passes unsanitized data from an untrusted source (the USER environment variable) as an argument to the login program.
| Code Block | ||
|---|---|---|
| ||
(void) execl(LOGIN_PROGRAM, "login",
"-p",
"-d", slavename,
"-h", host,
"-s", pam_svc_name,
(AuthenticatingUser != NULL ? AuthenticatingUser :
getenv("USER")),
0);
|
An attacker, in this case, an attacker can gain unauthenticated access to a system by setting the USER environment variable to a string which is interpreted as an additional command line option by the login program.
Compliant Solution
The following compliant solution inserts the "--" argument before the call to getenv("USER") in the call to execls():
| Code Block | ||
|---|---|---|
| ||
(void) execl(LOGIN_PROGRAM, "login",
"-p",
"-d", slavename,
"-h", host,
"-s", pam_svc_name, "--",
(AuthenticatingUser != NULL ? AuthenticatingUser :
getenv("USER")), 0);
|
Because the login program uses the POSIX getopt() function to parse command line arguments and because the "--" (double dash) option causes getopt() to stop interpreting options in the argument list, the USER variable cannot be used by an attacker to inject an additional command line option. This is a valid means of sanitizing the untrusted user data in this context because the behavior of the interpretation of the resulting string is rendered innocuous.
Risk Assessment
Failure to sanitize data passed to a complex subsystem can lead to an injection attack, data integrity issues, and a loss of sensitive data.
...