Section 7.20.4.5 of C99 states: [[ISO/IEC 9899:1999]]
The set of environment names and the method for altering the environment list are implementation-defined.
The getenv() function searches an environment list for a string that matches a specified name, and returns a pointer to a string associated with the matched list member. Depending on the implementation, multiple environment variables with the same name may be allowed and can cause unexpected results if a program cannot consistently choose the same value. The GNU glibc library addresses this issue in getenv() and setenv() by always using the first variable it encounters and ignoring the rest. Other implementations are following suit, although it is unwise to rely on this.
Inadvertently running a program with duplicate environment variables is an easy error to make because the execve() function has the signature:
int execve(const char *filename, char *const argv[], char *const envp[]);
and makes no guarantees with regard to duplicate variables in its envp argument.
One common difference between implementations is whether or not environment variables are case sensitive. While UNIX-like implementations are generally case sensitive, environment variables are "not case sensitive in Windows 98/Me and Windows NT/2000/XP" [[MSDN]].
Duplicate Environment Variable Detection (POSIX)
The following code defines a function that uses the POSIX environ array to manually search for duplicate key entries. Any duplicate environment variables are considered an attack, so the program immediately terminates if a duplicate is detected.
extern char ** environ;
int main(void) {
if (multiple_vars_with_same_name()) {
printf("Someone may be tampering.\n");
return 1;
}
/* ... */
return 0;
}
int multiple_vars_with_same_name(void) {
size_t i;
size_t j;
size_t k;
size_t l;
size_t len_i;
size_t len_j;
for(i = 0; environ[i] != NULL; i++) {
for(j = i; environ[j] != NULL; j++) {
if (i != j) {
k = 0;
l = 0;
len_i = strlen(environ[i]);
len_j = strlen(environ[j]);
while (k < len_i && l < len_j) {
if (environ[i][k] != environ[j][l])
break;
if (environ[i][k] == '=')
return 1;
k++;
l++;
}
}
}
}
return 0;
}
Non-Compliant Code Example
The following non-compliant code behaves differently when compiled under test Linux and Microsoft Windows implementations.
char *temp;
if (putenv("TEST_ENV=foo") != 0) {
/* Handle Error */
}
if (putenv("Test_ENV=bar") != 0) {
/* Handle Error */
}
temp = getenv("TEST_ENV");
if (temp == NULL) {
/* Handle Error */
}
printf("%s\n", temp);
On a test IA-32 Linux machine with GCC Compiler Version 3.4.4, this code prints:
foo
Whereas, on a test IA-32 Windows XP machine with Microsoft Visual C++ 2008 Express, it prints:
bar
Compliant Solution
Portable code should use environment variables that differ by more than capitalization.
char *temp;
if (putenv("TEST_ENV=foo") != 0) {
/* Handle Error */
}
if (putenv("OTHER_ENV=bar") != 0) {
/* Handle Error */
}
temp = getenv("TEST_ENV");
if (temp == NULL) {
/* Handle Error */
}
printf("%s\n", temp);
Risk Assessment
An adversary can create multiple environment variables with the same name. If the program checks one copy but uses another, security checks may be circumvented.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
ENV02-A |
low |
unlikely |
medium |
P2 |
L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[ISO/IEC 9899:1999]] Section 7.20.4, "Communication with the environment"
[[MSDN]] getenv()
ENV01-A. Do not make assumptions about the size of an environment variable 10. Environment (ENV) ENV03-A. Sanitize the environment when invoking external programs