SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 23

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version 24

changes.mady.by.user Pamela Curtis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

String data passed to complex subsystems may contain special characters that can trigger commands or actions, resulting in a software vulnerability. As a result it is necessary to sanitize all string data passed to complex subsystems so that the resulting string is innocuous in the context in which it will be interpreted.

Complex subsystems include, but are not limited toThese are some examples of complex subsystems:

  • command processor via a call to system() or similar function
  • external programs
  • relational databases
  • third-party COTS components (e.g., an enterprise resource planning subsystem)

...

It is necessary to ensure that all valid data is accepted, while potentially dangerous data is rejected or sanitized. This can be difficult when valid characters or sequences of characters also have special meaning to the subsystem and may involve validating the data against a grammar. In cases where there is no overlap, white listing can be used to eliminate dangerous characters from the data.

...

Wiki Markup
This non-compliant code example is take from \[[VU#881872|http://www.kb.cert.org/vulnotes/id/881872]\], which a vulnerability in the Sun Solaris telnet daemon ({{in.telnetd}}) that allows a remote attacker to log on to the system with elevated privileges.

The vulnerability in in.telnetd involves the following line of code invokes the login program by calling execl(). This call passes unsanitized data from an untrusted source (the USER environment variable) as an argument to the login program.

...

An attacker, in this case, an attacker can gain unauthenticated access to a system by setting the USER environment variable to a string, which is interpreted as an additional command line option by the login program.

...

Because the login program uses the POSIX getopt() function to parse command line arguments, and because the "--" (double dash) option causes getopt() to stop interpreting options in the argument list, the USER variable cannot be used by an attacker to inject an additional command line option. This is a valid means of sanitizing the untrusted user data in this context because the behavior of the interpretation of the resulting string is rendered innocuous.

...

Examples of vulnerabilities resulting from the violation of this recommendation can be found on the CERT website.

References

Wiki Markup
\[[Viega 03|AA. C References#Viega 03]\]
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.20.4.6, "The system function"
\[[VU#881872|http://www.kb.cert.org/vulnotes/id/881872]\] Manion, Art & Taschner, Chris. Vulnerability Note VU#881872 Sun Solaris telnet authentication bypass vulnerability. http://www.kb.cert.org/vulnotes/id/881872 (2007).Viega 03|AA. C References#Viega 03]\]
\[[VU#881872|AA. C References#VU881872]\]