Page History

In this non-compliant example inspired by a vulnerability in OpenBSD's {{chpass}} program \[[OpenbsdNAI 98|http://seclists.org/bugtraq/1998/Aug/0071.htmlAA. C References#NAI 98]\], a file containing sensitive data is opened for reading. The program then retrieves the registered editor from the {{EDITOR}} environment variable and executes it using the {{system()}} command. If, the {{system()}} command is implemented in a way that spawns a child process, then the child process inherits the file descriptors opened by its parent. As a result, the child process, in this example whatever program is specified by the {{EDITOR}} environment variable, will be able to access the contents of {{Sensitive.txt}}.

\[[Dowd 06|AA. C References#Dowd 06]\] Chapter 10, "UNIX Processes" (File Descriptor Leaks 582-587)
\[[MITRE 07|AA. C References#MITRE 07]\] UNIX file descriptor leaks
\[[MSDN|AA. C References#MSDN 07]\] Inheritance (Windows)
\[[OpenbsdNAI 98|http://seclists.org/bugtraq/1998/Aug/0071.html]\]AA. C References#NAI 98]\] Bugtraq: Network Associates Inc. Advisory (OpenBSD)