...
- drop privileges once they are no longer necessary (see POS02-AC. Follow the principle of least privilege)
- avoid calling
system()(see ENV04-AC. Do not call system() if you do not need a command processor) - clear the environment and fill it with trusted or default values
...
C99 states that, "the set of environment names and the method for altering the environment list are implementation-defined." It is therefore consequently important to understand what local functions are available for clearing, modifying, and looking up default values for environment variables. Because some programs may behave in unexpected ways when certain environment variables are not set, it is important to understand which variables are necessary on your system and what are safe values for them.
...
| Wiki Markup |
|---|
If it is explicitly known which environment variables need to be kept, \[[Viega 03|AA. C References#Viega 03]\] defines a function, {{spc_sanitize_environment()}}, which will remove everything else. |
...
Noncompliant Code Example (POSIX) (ls)
This non-compliant noncompliant code invokes the C99 system() function to execute the /bin/ls program. The C99 system() function passes a string to the command processor in the host environment to be executed.
...
Although IFS does not affect the command portion of this string, /bin/ls, it does determine how the argument is built after calling date. If the default shell does not ignore the incoming value of the IFS environment value, and an attacker sets IFS to ".", the intended directory will not be found.
Compliant Solution (POSIX) (ls)
In this compliant solution, the environment is cleared by clearenv() and then the PATH and IFS variables are set to safe values before invoking system().
...
Sanitizing a shell command can be difficult and doing so can adversely affect the power and flexibility associated with them.
Compliant Solution (Windows)
There is no portable or guaranteed way to clear out the environment under Windows. Following the recommendations of ENV04-AC. Do not call system() if you do not need a command processor, care should be taken to use _execle(), _execlpe(), _execve(), or _execvpe() instead of system() because they allow the the environment to be explicitly specified.
Risk Assessment
Invoking an external program in an attacker-controlled environment is dangerous.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
ENV03-A C | high | likely | high | P9 | L2 |
Automated Detection
Compass/ROSE could detect violations of this recommendation. It should ensure that any call to system() or the exec() family (excluding those functions that provide their own environment) is preceded by a call to clearenv().
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[Austin Group 08|AA. C References#Austin Group 08]\] vol. 2, System Interfaces, {{confstr()}}
\[[CA-1995-14|http://www.cert.org/advisories/CA-1995-14.html]\] "Telnetd Environment Vulnerability"
\[[Dowd 06|AA. C References#Dowd 06]\] Chapter 10, "UNIX II: Processes"
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.20.4, "Communication with the environment"
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "XYS Executing or Loading Untrusted Code"
\[[Open Group 04|AA. C References#Open Group 04]\] Chapter 8, "Environment Variables", [{{confstr()}}|http://www.opengroup.org/onlinepubs/009695399/functions/confstr.html]
\[[Viega 03|AA. C References#Viega 03]\] Section 1.1, "Sanitizing the Environment"
\[[Wheeler 03|AA. C References#Wheeler 03]\] [Section 5.2, "Environment Variables"|http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/environment-variables.html] |
...
10. Environment (ENV) ENV04-AC. Do not call system() if you do not need a command processor