You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 26 Next »

The getenv() function searches an environment list for a string that matches a specified name, and returns a pointer to a string associated with the matched list member. Due to the manner in which environment variables are stored, multiple environment variables with the same name can cause unexpected results.

Implementation Details

Depending on the implementation, a program may not consistently choose the same value if there are multiple environment variables with the same name. The GNU glibc library addresses this issue in getenv() and setenv() by always using the first variable it encounters and ignoring the rest. The POSIX unsetenv() function removes all entries matching the variable name. Other implementations are following suit.

char *temp;
char *copy;

if ((temp = getenv("TEST_ENV")) != NULL) {
  copy = (char *)malloc(strlen(temp) + 1);
  if (copy != NULL) {
    strcpy(copy, temp);
  }
  else {
    /* handle error condition */
  }

  copy[0] = 'a';
  setenv("TEST_ENV", copy, 1);
}
else {
  return -1;
}

It is also possible to search the environment for multiple entries of a variable. On POSIX systems, the environ variable can be used for this purpose. Any duplicate values are an indication of an attack; take appropriate action.

Compliant Solution (POSIX)

In this compliant solution, the environ array is manually searched for duplicate key entries.

extern char ** environ;

int main(void) {
  if(multiple_vars_with_same_name()) {
    printf("Someone may be tampering.\n");
    return 1;
  }

  /* ... */

  return 0;
}

int multiple_vars_with_same_name() {
  size_t i;
  size_t j;
  size_t k;
  size_t l;
  size_t len_i;
  size_t len_j;

  for(i = 0; environ[i] != NULL; i++) {
    for(j = i; environ[j] != NULL; j++) {
      if(i != j) {
        k = 0;
        l = 0;

        len_i = strlen(environ[i]);
        len_j = strlen(environ[j]);

        while(k < len_i && l < len_j) {
          if(environ[i][k] != environ[j][l])
            break;

          if(environ[i][k] == '=')
            return 1;

          k++;
          l++;
        }
      }
    }
  }
  return 0;
}

Risk Assessment

An adversary could create multiple environment variables with the same name. If the program checks one copy but uses another, security checks may be circumvented.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

ENV02-A

medium

unlikely

low

P6

L2

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[ISO/IEC 9899-1999]] Section 7.20.4, "Communication with the environment"


ENV01-A. Do not make assumptions about the size of an environment variable      10. Environment (ENV)       ENV03-A. Sanitize the environment before invoking external programs

  • No labels