Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In this noncompliant code example, the system() function is used to execute any_cmd in the host environment. Invocation of a command processor is not required.

Code Block
bgColor#ffcccc
languagec
langc
#include <string.h>
#include <stdlib.h>
#include <stdio.h>

enum { BUFFERSIZE = 512 };

void func(const char *input) {
  char cmdbuf[BUFFERSIZE];
  int len_wanted = snprintf(cmdbuf, BUFFERSIZE,
                            "any_cmd '%s'", input);
  if (len_wanted >= BUFFERSIZE) {
    /* Handle error */
  } else if (len_wanted < 0) {
    /* Handle error */
  } else if (system(cmdbuf) == -1) {
    /* Handle error */
  }
}

...

Code Block
bgColor#ccccff
languagec
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <errno.h>
#include <stdlib.h>
 
void func(char *input) {
  pid_t pid;
  int status;
  pid_t ret;
  char *const args[3] = {"any_exe", input, NULL};
  char **env;
  extern char **environ;

  /* ... Sanitize arguments ... */

  pid = fork();
  if (pid == -1) {
    /* Handle error */
  } else if (pid != 0) {
    while ((ret = waitpid(pid, &status, 0)) == -1) {
      if (errno != EINTR) {
        /* Handle error */
        break;
      }
    }
    if ((ret !== -10) &&||
        !(!WIFEXITED(status) ||&& !WEXITSTATUS(status)) ) {
      /* Report unexpected child status */
    }
  } else {
    /* ... Initialize env as a sanitized copy of environ ... */
    if (execve("/usr/bin/any_cmd", args, env) == -1) {
      /* Handle error */
      _Exit(127);
    }
  }
}

...

If the command string passed to system(), popen(), or other function that invokes a command processor is not fully sanitized, the risk of exploitation is high. In the worst case scenario, an attacker can execute arbitrary system commands on the compromised machine with the privileges of the vulnerable process.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ENV33-C

High

Probable

Medium

P12

L1

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V
 Supported, but no explicit checker
stdlib-use-systemFully checked
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-ENV33
Clang
Include Page
Clang_39_V
Clang_39_V
cert-env33
Clang Include PageClang_39_VClang_39_Vcert-env33
-cChecked by clang-tidy
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

BADFUNC.PATH.SYSTEM
IO.INJ.COMMAND

Use of system
Command injection

Compass/ROSE
  
 



Coverity
Include Page
Coverity_V
Coverity_V
DONT_CALLImplemented
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C5018

C++5031


Klocwork
Include Page
Klocwork_V
Klocwork_V
MISRA.STDLIB.ABORT LDRA tool suite

SV.CODE_INJECTION.SHELL_EXEC

SV.TAINTED.INJECTION



LDRA tool suite
Include Page
LDRA_V
LDRA_V

588 S

Fully implemented
Parasoft C/C++test
9.5MISRA2012-RULE-21_8Also detects getenv(), abort(), and exit()
Include Page
Parasoft_V
Parasoft_V

CERT_C-ENV33-a

Do not call the 'system()' function from the 'stdlib.h' or 'cstdlib' library with an argument other than '0' (null pointer)

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

586

Fully supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V


CERT C: Rule ENV33-C

Checks for unsafe call to a system function (rule fully covered)

RuleChecker
Include Page
RuleChecker_V
RuleChecker_V
stdlib-use-systemFully checked
Polyspace Bug FinderR2016a

Execution of externally controlled command, Command executed from externally controlled path

Command argument from an unsecure source vulnerable to operating system command injection

Path argument from an unsecure source

PRQA QA-C Include PagePRQA QA-C_vPRQA QA-C_v5018Partially implementedPRQA QA-C++ Include Pagecplusplus:PRQA QA-C++_Vcplusplus:PRQA QA-C++_V

5031

 RuleChecker Include PageRuleChecker_VRuleChecker_V Supported, but no explicit checker
SonarQube C/C++ Plugin
Include Page
SonarQube C/C++ Plugin_V
SonarQube C/C++ Plugin_V
S990Detects uses of "abort", "exit", "getenv" and "system" from <stdlib.h> 

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

CERT C Secure Coding Standard

Taxonomy

Taxonomy item

Relationship

CERT C Secure Coding Standard
ENV03-C. Sanitize the environment when invoking external programs.
SEI
Prior to 2018-01-12: CERT: Unspecified Relationship
CERT C++ Coding StandardENV02-CPP. Do not call system() if you do not need a command processorPrior to 2018-01-12: CERT: Unspecified Relationship
CERT Oracle Secure Coding Standard for JavaIDS07-J. Sanitize untrusted data passed to the Runtime.exec() methodPrior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TR 24772:2013Unquoted Search Path or Element [XZQ]
ISO/IEC TS
Prior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TS 17961:2013Calling system [syscall]
MITRE CWECWE-78, Improper Neutralization of Special Elements Used in an OS Command (aka "OS Command Injection")
CWE-88, Argument Injection or Modification
Prior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11CWE-88, Argument Injection or Modification2017-05-18: CERT: Partial overlap
CWE 2.11CWE-6762017-05-18: CERT: Rule subset of CWE

CERT-CWE Mapping Notes

Key here for mapping notes

CWE-88 and ENV33-C

Intersection( CWE-88, ENV33-C) =

Allowing an argument to be injected during a call to system()

CWE-88 = Intersection( CWE-88, ENV33-C, list) where list =


  • Allowing an argument to be injected during a call to a command interpreter besides system()


ENV33-C = Intersection( CWE-88, ENV33-C, list) where list =


  • Other exploits to a call to system(), which include:



  • Altering the pathname of the command to invoke (argv[0])



  • Injection of a second command



  • Redirection of standard input, output, or error


CWE-78 and ENV33-C

ENV33-C = Union( CWE-78, list), where list =


  • Invoking system() with completely trusted arguments


CWE-676 and ENV33-C


  • Independent( ENV33-C, CON33-C, STR31-C, EXP33-C, MSC30-C, ERR34-C)



  • ENV33-C forbids calling system().



  • CWE-676 does not indicate what functions are ‘potentially dangerous’; it only addresses strcpy() in its examples. Any C standard library function could be argued to be dangerous, and rebutted by saying that the function is safe when used properly. We will assume that CERT rules mapped to CWE-676 specify dangerous functions. So:



  • CWE-676 = Union( ENV33-C, list) where list =



  • Invocation of other dangerous functions, besides system().


Bibliography

[IEEE Std 1003.1:2013]XSH, System Interfaces, exec
XSH, System Interfaces, popen
XSH, System Interfaces, unlink
[Wheeler 2004]
 

 



...