...
If the command string passed to system(), popen(), or other function that invokes a command processor is not fully sanitized, the risk of exploitation is high. In the worst case scenario, an attacker can execute arbitrary system commands on the compromised machine with the privileges of the vulnerable process.
Rule | Severity | Likelihood | Detectable | RepairableRemediation Cost | Priority | Level |
|---|---|---|---|---|---|---|
ENV33-C | High | Probable | Yes | NoMedium | P12 | L1 |
Automated Detection
Tool | Version | Checker | Description | |||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| stdlib-use-system | Fully checked | |||||||
| Axivion Bauhaus Suite |
| CertC-ENV33 | ||||||||
| Clang |
| cert-env33-c | Checked by clang-tidy | |||||||
| CodeSonar |
| BADFUNC.PATH.SYSTEM | Use of system | |||||||
| Compass/ROSE | ||||||||||
| Coverity |
| DONT_CALL | Implemented | |||||||
| Cppcheck Premium |
| premium-cert-env33-c | Fully implemented | |||||||
| Helix QAC |
| C5018 C++5031 | ||||||||
| Klocwork |
| SV.CODE_INJECTION.SHELL_EXEC | ||||||||
| LDRA tool suite |
| 588 S | Fully implemented | |||||||
| Parasoft C/C++test |
| CERT_C-ENV33-a | Do not call the The 'system()' function from the 'stdlib.h' or 'cstdlib' library should not be used with an argument other than '0' (null pointer) | |||||||
| PC-lint Plus |
| 586 | Fully supported | |||||||
| Polyspace Bug Finder |
| Checks for unsafe call to a system function (rule fully covered) | ||||||||
| RuleChecker |
| stdlib-use-system | Fully checked | |||||||
| SonarQube C/C++ Plugin |
| S990 | Detects uses of "abort", "exit", "getenv" and "system" from <stdlib.h> |
...