| Wiki Markup |
|---|
Section 7.20.4.5 of C99 \[[ISO/IEC 9899-:1999|AA. C References#ISO/IEC 9899-1999]\] says that: |
...
| Code Block |
|---|
|
extern char ** environ;
int main(void) {
if (multiple_vars_with_same_name()) {
printf("Someone may be tampering.\n");
return 1;
}
/* ... */
return 0;
}
int multiple_vars_with_same_name(void) {
size_t i;
size_t j;
size_t k;
size_t l;
size_t len_i;
size_t len_j;
for(i = 0; environ[i] != NULL; i++) {
for(j = i; environ[j] != NULL; j++) {
if (i != j) {
k = 0;
l = 0;
len_i = strlen(environ[i]);
len_j = strlen(environ[j]);
while (k < len_i && l < len_j) {
if (environ[i][k] != environ[j][l])
break;
if (environ[i][k] == '=')
return 1;
k++;
l++;
}
}
}
}
return 0;
}
|
...
| Code Block |
|---|
|
char *temp;
if (putenv("TEST_ENV=foo") != 0) {
/* Handle Error */
}
if (putenv("Test_ENV=bar") != 0) {
/* Handle Error */
}
temp = getenv("TEST_ENV");
if (temp == NULL) {
/* Handle Error */
}
printf("%s\n", temp);
|
On a test IA-32 Linux machine with GCC Compiler Version 3.4.4, this code prints:
...
| Code Block |
|---|
|
char *temp;
if (putenv("TEST_ENV=foo") != 0) {
/* Handle Error */
}
if (putenv("OTHER_ENV=bar") != 0) {
/* Handle Error */
}
temp = getenv("TEST_ENV");
if (temp == NULL) {
/* Handle Error */
}
printf("%s\n", temp);
|
Risk Assessment
An adversary can create multiple environment variables with the same name. If the program checks one copy but uses another, security checks may be circumvented.
...
| Wiki Markup |
|---|
\[[ISO/IEC 9899-:1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.20.4, "Communication with the environment"
\[[MSDN|AA. C References#MSDN]\] [{{getenv()}}|http://msdn.microsoft.com/en-us/library/tehxacec(VS.71).aspx] |
...
