...
A weakness in a privileged program caused by relying on untrusted sources such as the environment (See ENV35-J. Provide a trusted environment and sanitize all inputs), can result in the execution of a command or a program that has more privileges than those possessed by a typical user. This noncompliant code example shows such a vulnerability; it is a variant of an the OS command injection vulnerability.
When the single argument version of the Runtime.exec() method is invoked, the arguments are parsed by a StringTokenizer into separate tokens. Consequently, any command separators maliciously inserted into the argument do not delimit the original command and an adversary is unable to proceed in executing arbitrary system commands. This However, this code is however, equally still vulnerable as an attacker can easily invoke an external (privileged) program, despite even in the presence of a security manager.
| Code Block | ||
|---|---|---|
| ||
// security manager check String programName = System.getProperty("program.name"); if (programName != null){ // runsRuns user controlled program Runtime runtime = Runtime.getRuntime(); Process proc = runtime.exec(programName); } |
Noncompliant Code Example
A This noncompliant code example portrays a less likely, though more pernicious form of OS command injection is portrayed in this noncompliant code example. The program spawns a shell (*nix) or a command prompt (Windows) and allows passing arguments to external programs. Sometimes the shell or prompt is used to set an environment variable to a user defined value from within the program. The programName string is expected to hold the program's name, as well as the arguments.
An adversary can terminate the command with a command separator (such as '&&' and '||') or cause the output of the program to be piped to a sensitive file for the purpose of causing a denial of service (privileged program), or even worse, redirect some sensitive output to a non sensitive location.
...
| Code Block | ||
|---|---|---|
| ||
Process proc;
int filename = Integer.parseInt(System.getproperty("program.name")); // only allow integer choices
Runtime runtime = Runtime.getRuntime();
switch(filename) {
case 1:
proc = runtime.exec("hardcoded\program1");
break; // optionOption 1
case 2:
proc = runtime.exec("hardcoded\program2");
break; // optionOption 2
default:
System.out.println("Invalid option!");
break;
}
|
Compliant Solution
An alternative is to read the file names from a source existing in a secure directory, inaccessible to an attacker. The security policy file may grant permissions to the application to read files from a specific directory. The security manager must be used when running the application . (ENV30-J. Create a secure sandbox using a Security Manager). It is also possibe to define a custom permission to control access to specific programs and using a security manager to enforce this permission (SEC08-J. Define custom security permissions for fine grained security).
Risk Assessment
OS command injection can cause arbitrary programs to be executed.
...