The getenv()
function searches an environment list for a string that matches a specified name , and returns a pointer to a string associated with the matched list member. Due to the manner in which environment variables are stored.
Subclause 7.22.4.6 of the C Standard [ISO/IEC 9899:2011] states:
The set of environment names and the method for altering the environment list are implementation-defined.
Depending on the implementation, multiple environment variables with the same name may be allowed and can cause unexpected results . You may check one value, but return another.
Implementation Details
Depending on the implementation, a program may not if a program cannot consistently choose the same value if there are multiple environment variables with the same name. The GNU glibc library addresses this issue in getenv()
and setenv()
by always using the first variable it comes across, encounters and ignoring the rest. unsetenv()
will remove all the entries matching the variable name. Other implementations are following this lead.
Code Block |
---|
char *temp;
char *copy;
if ((temp = getenv("TEST_ENV")) != NULL) {
copy= (char *)malloc(strlen(temp) + 1);
if (copy != NULL) {
strcpy(copy, temp);
}
else {
/* handle error condition */
}
copy[0] = 'a';
setenv("TEST_ENV", copy, 1);
}
else {
return -1;
}
|
In addition, it is possible to search through environ
checking for multiple entries of a variable. Any duplicate values are an indication of an attack; take appropriate action. It is unlikely that there would be a need for more than one variable of the same name.
Risk Assessment
. However, it is unwise to rely on this behavior.
One common difference between implementations is whether or not environment variables are case sensitive. Although UNIX-like implementations are generally case sensitive, environment variables are "not case sensitive in Windows 98/Me and Windows NT/2000/XP" [MSDN].
Duplicate Environment Variable Detection (POSIX)
The following code defines a function that uses the POSIX environ
array to manually search for duplicate key entries. Any duplicate environment variables are considered an attack, so the program immediately terminates if a duplicate is detected.
Code Block | ||||
---|---|---|---|---|
| ||||
extern char **environ;
int main(void) {
if (multiple_vars_with_same_name()) {
printf("Someone may be tampering.\n");
return 1;
}
/* ... */
return 0;
}
int multiple_vars_with_same_name(void) {
size_t i;
size_t j;
size_t k;
size_t l;
size_t len_i;
size_t len_j;
for(size_t i = 0; environ[i] != NULL; i++) {
for(size_t j = i; environ[j] != NULL; j++) {
if (i != j) {
k = 0;
l = 0;
len_i = strlen(environ[i]);
len_j = strlen(environ[j]);
while (k < len_i && l < len_j) {
if (environ[i][k] != environ[j][l])
break;
if (environ[i][k] == '=')
return 1;
k++;
l++;
}
}
}
}
return 0;
}
|
Noncompliant Code Example
This noncompliant code example behaves differently when compiled and run on Linux and Microsoft Windows platforms:
Code Block | ||||
---|---|---|---|---|
| ||||
if (putenv("TEST_ENV=foo") != 0) {
/* Handle error */
}
if (putenv("Test_ENV=bar") != 0) {
/* Handle error */
}
const char *temp = getenv("TEST_ENV");
if (temp == NULL) {
/* Handle error */
}
printf("%s\n", temp);
|
On an IA-32 Linux machine with GCC 3.4.4, this code prints
Code Block |
---|
foo
|
whereas, on an IA-32 Windows XP machine with Microsoft Visual C++ 2008 Express, it prints
Code Block |
---|
bar
|
Compliant Solution
Portable code should use environment variables that differ by more than capitalization:
Code Block | ||||
---|---|---|---|---|
| ||||
if (putenv("TEST_ENV=foo") != 0) {
/* Handle error */
}
if (putenv("OTHER_ENV=bar") != 0) {
/* Handle error */
}
const char *temp = getenv("TEST_ENV");
if (temp == NULL) {
/* Handle error */
}
printf("%s\n", temp);
|
Risk Assessment
An attacker can create multiple environment variables with the same name (for example, by using the POSIX execve()
function). If the program checks one copy but uses another, security checks may be circumventedAn adversary could create several environment variables with the same name. If the program checks against one copy, but actually uses another, this could be a clear problem.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
ENV02- |
2 (medium)
1 (unlikely)
3 (low)
P6
L2
C | Low | Unlikely | Medium | P2 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Compass/ROSE | |||||||||
Parasoft C/C++test |
| CERT_C-ENV02-a | Usage of system properties (environment variables) should be restricted |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
Wiki Markup |
---|
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.20.4, "Communication with the environment" |
Related Guidelines
SEI CERT C++ Coding Standard | VOID ENV00-CPP. Beware of multiple environment variables with the same effective name |
ISO/IEC TR 24772:2013 | Executing or Loading Untrusted Code [XYS] |
MITRE CWE | CWE-462, Duplicate key in associative list (Alist) CWE-807, Reliance on untrusted inputs in a security decision |
Bibliography
[ISO/IEC 9899:2011] | Section 7.22.4, "Communication with the Environment" |
[MSDN] | getenv() |
...
ENV01-A. Do not make assumptions about the size of an environment variable 11. Environment (ENV) ENV03-A. Sanitize the environment before invoking external programs