...
- command processor via a call to
system()or similar function.
This is also addressed in ENV03-AC. Sanitize the environment when invoking external programs. - external programs
- relational databases
- third-party COTS components (e.g., an enterprise resource planning subsystem)
...
Noncompliant Code Example
| Wiki Markup |
|---|
Data sanitization requires an understanding of the data being passed and the capabilities of the subsystem. John Viega and Matt Messier provide an example of an application that inputs an email address into a buffer and then uses this string as an argument in a call to {{system()}} \[[Viega 03|AA. C References#Viega 03]\]: |
...
For more info on the system() call, see ENV03-AC. Sanitize the environment when invoking external programs and ENV04-AC. Do not call system() if you do not need a command processor.
Compliant Solution
It is necessary to ensure that all valid data is accepted, while potentially dangerous data is rejected or sanitized. This can be difficult when valid characters or sequences of characters also have special meaning to the subsystem and may involve validating the data against a grammar. In cases where there is no overlap, white listing can be used to eliminate dangerous characters from the data.
...
| Code Block | ||
|---|---|---|
| ||
static char ok_chars[] = "abcdefghijklmnopqrstuvwxyz"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"1234567890_-.@";
char user_data[] = "Bad char 1:} Bad char 2:{";
char *cp; /* cursor into string */
const char const *end = user_data + strlen( user_data);
for (cp = user_data; cp != end; cp += strspn(cp, ok_chars)) {
*cp = '_';
}
|
The benefit of white listing is that a programmer can be certain that a string contains only characters that are considered safe by the programmer. White listing is recommended over black listing, which traps all unacceptable characters, as the programmer only needs to ensure that acceptable characters are identified. As a result, the programmer can be less concerned about which characters an attacker may try in an attempt to bypass security checks.
...
Noncompliant Code Example
| Wiki Markup |
|---|
This non-compliantnoncompliant code example is taken from \[[VU#881872|AA. C References#VU881872]\], a vulnerability in the Sun Solaris TELNET daemon ({{in.telnetd}}) that allows a remote attacker to log on to the system with elevated privileges. |
...
An attacker, in this case, can gain unauthenticated access to a system by setting the USER environment variable to a string, which is interpreted as an additional command line option by the login program. This is referred to as an argument injection attack.
Compliant Solution
The following compliant solution inserts the "--" argument before the call to getenv("USER") in the call to execl():
...
The call to execl() is not susceptible to command injection because the shell command interpreter is not invoked (see ENV04-AC. Do not call system() if you do not need a command processor).
Risk Assessment
Failure to sanitize data passed to a complex subsystem can lead to an injection attack, data integrity issues, and a loss of sensitive data.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
STR02-A C | high | likely | medium | P18 | L1 |
Automated Detection
Fortify SCA Version 5.0 is able to can detect violations of this rule.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 88|http://cwe.mitre.org/data/definitions/88.html], "Argument Injection or Modification," and [CWE ID 78|http://cwe.mitre.org/data/definitions/78.html], "Failure to Sanitize Data into an OS Command (aka 'OS Command Injection')" \[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.20.4.6, "The system function" \[[Viega 03|AA. C References#Viega 03]\] \[[VU#881872|AA. C References#VU881872]\] |
...
07. Characters and Strings (STR) STR03-AC. Do not inadvertently truncate a null-terminated byte string