...
- drop privileges once they are no longer necessary (see POS02-A. Follow the principle of least privilege)
- avoid calling
system()(see ENV04-A. Do not call system() if you do not need a command processor)- if a command processor in absolutely necessary, the environment should be cleared out and filled with trusted or default values (see STR02-A. Sanitize data passed to complex subsystems)
Since Because the C99 standard states that "The set of environment names and the method for altering the environment list are implementation-defined." It is important to understand what local functions are available for clearing, modifying, and looking up default values for environment variables. Since some programs may behave in unexpected ways when certain environment variables are not set, it is important to understand which variables are necessary on your system and what are safe values for them.
...
This non-compliant code invokes the C99 system() function to execute the /bin/ls program. The C99 system() function passes a string to the command processor in the host environment to be executed.
| Code Block | ||
|---|---|---|
| ||
system("/bin/ls dir.`date +%Y%m%d`");
|
Although IFS does not affect the command portion of this string, /bin/ls, it does determine how the argument is built after calling date. If the default shell does not ignore the incoming value of the IFS}}environment value, and an attacker sets {{IFS to ".", the intended directory will not be found.
...
| Code Block | ||
|---|---|---|
| ||
char *pathbuf;
size_t n;
if (clearenv() != 0) {
/* Handle Error */
}
n = confstr(_CS_PATH, NULL, 0);
if ((pathbuf = malloc(n)) == NULL) {
/* Handle Error */
}
confstr(_CS_PATH, pathbuf, n);
if (setenv("PATH", pathbuf, 1) == -1) {
/* Handle Error */
}
if (setenv("IFS", " \t\n", 1) == -1) {
/* Handle Error */
}
if (system("/bin/ls dir.`date +%Y%m%d`") == -1) {
/* Handle Error */
}
|
As you can see, sanitizing Sanitizing a shell command can be difficult, and secure results can adversely impact the inherent power and flexibility associated with shell commands in the first place.
Risk Assessment
Invoking an external program in an attacker-controlled environment is dangerous.
...