 
                            Wiki Markup 
| Wiki Markup | 
|---|
| Attackers can manipulate environmental variables to trick an executable into running a spoofed version of a shared library or executable.  Most modern systems, for example, use dynamic libraries and most executables are dynamically linked (that is, use dynamic libraries). An attacker can run arbitrary code with the privileges of a spoofed process by installing a spoofed version of a shared library and influencing the mechanism for dynamic linking by setting the {{LD_PRELOAD}} environmental variable (or another {{LD_\*}} environmental variable).  An interesting example of this vulnerability involving the RFC 1408/RFC 1572 _Telnet Environment Option_ is documented in CERT Advisory CA-1995-14, "Telnetd Environment Vulnerability" \[[CA-1995-14|http://www.cert.org/advisories/CA-1995-14.html]\].  The Telnet Environment Option extension to telnet supports the transfer of environment variables from one system to another, allowing an attacker to transfer environment variables that influence the login program called by the telnet daemon and bypass the normal login and authentication scheme to become root on that system. | 
Certain variables can cause insecure program behavior if they are missing from the environment or improperly set. As a result, the environment cannot be fully purged. Instead, variables that should exist should be set to safe values or treated as untrusted data and examined closely before being used.
For example, the IFS variable (which stands for "internal field separator") is used by some shells to determine which characters separate command line arguments.  A shell has the option of using the incoming IFS value or resetting it to its default at the time the shell is invoked.  Because the shell is invoked by the C99 system() function and the POSIX popen() function, setting IFS to unusual values can subvert apparently-safe calls.
Environment issues are particularly dangerous with setuid/setgid programs because an attacker can completely control the environment variables.
Non-Compliant Code Example (POSIX) (ls)
All programs, particularly those running with higher privileges than the caller (such as those with setuid/setgid flags), should treat their environment as untrusted user input. Because the environment is inherited by processes spawned by calls to the fork(), system(), or exec() functions, it is important to verify that the environment does not contain any values that can lead to unexpected behavior.
The best practice for such programs is to
- Drop privileges once they are no longer necessary. (See POS02-C. Follow the principle of least privilege.)
- Avoid calling system(). (See ENV33-C. Do not call system().)
- Clear the environment and fill it with trusted or default values.
This recommendation is a more specific instance of STR02-C. Sanitize data passed to complex subsystems.
Subclause 7.22.4.6 of the C Standard states that "the set of environment names and the method for altering the environment list are implementation-defined." Consequently, it is important to understand which functions are available for clearing, modifying, and looking up default values for environment variables. Because some programs may behave in unexpected ways when certain environment variables are not set, it is important to understand which variables are necessary on your system and what are safe values for them.
Noncompliant Code Example (POSIX, ls)
This noncompliant code example invokes the C This non-compliant code invokes the C99 system() function to execute the /bin/ls program. The C99 system() function passes a string to the command processor in the host environment to be executed.
| Code Block | |||||
|---|---|---|---|---|---|
| 
 | |||||
| if ( system("/bin/ls dir.`date +%Y%m%d`"); == -1) { /* Handle error */ } | 
Although IFS does not affect the command portion of this string, /bin/ls, it does determine how the argument is built after calling date. If the default shell does not ignore the incoming value of the IFS environment value, and an attacker sets IFS to ".", the intended directory will not be found.
Compliant Solution (POSIX
...
, ls)
The nonstandard function clearenv() may be used to clear out the environment where available: otherwise, the environment can be cleared by obtaining the environment variable names from environ and removing each one using unsetenv().
In this compliant solution, the environment is cleared by clearenv(), and then the PATH and IFS variables are set to safe values before system() is invoked. Sanitizing shell commands can be difficult, and doing so can adversely affect the power and flexibility associated with them.
| Code Block | ||||
|---|---|---|---|---|
| 
 | ||||
| char *pathbuf;
size_t n;
if (clearenv() != 0) {
  /* Handle error */
}
n = confstr(_CS_PATH, NULL, 0);
if (n == 0) {
  /* Handle error */
}
if ((pathbuf = malloc(n | 
| Wiki Markup | 
|---|
| Sanitize the environment by setting required variables to safe values and removing extraneous environment variables.  Set {{IFS}} to its default of "{{ \t\n}}" (the first character is a space character). Set the {{PATH}} environment variable to the string returned by calling {{confstr()}} with the first argument {{\_CS_PATH}}.  Preserve the {{TZ}} environment variable (if present) which denotes the time zone (see the Open Group Base Specifications Issue 6 specifies for the  format for this variable \[[Open Group 04|AA. C References#Open Group 04]\]. | 
| Wiki Markup | 
|---|
| One way to clear the environment is to use the {{clearenv()}} function. The function {{clearenv()}} has an odd history; it was supposed to be defined in POSIX.1, but never made it into the standard. However, it is defined in POSIX.9 (the Fortran 77 bindings to POSIX), so there is a quasi-official status for it \[[Wheeler 03|AA. C References#Wheeler 03]\]. | 
| Wiki Markup | 
|---|
| The other technique is to directly manipulate the environment through the {{environ}} variable.  According to the Open Group Base Specifications Issue 6 \[[Open Group 04|AA. C References#Open Group 04]\]: | 
The value of an environment variable is a string of characters. For a C-language program, an array of strings called the environment shall be made available when a process begins. The array is pointed to by the external variable environ, which is defined as:
extern char **environ;These strings have the form name=value; names shall not contain the character '='.
Note that C99 standard states that "The set of environment names and the method for altering the environment list are implementation-defined."
Compliant Solution (Sanitization)
| Wiki Markup | 
|---|
| If you explicitly know which environment variables you want to keep, the function below adapted from \[[Viega 03|AA. C References#Viega 03]\] will remove everything else. | 
| Code Block | ||
|---|---|---|
| 
 | ||
| #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> extern char **environ; /* These arrays are both NULL-terminated. */ static char *spc_restricted_environ[ ] = { "IFS= \t\n", 0, /* leave room for PATH=... */ 0 }; static char *spc_preserve_environ[ ] = { "TZ", 0 }; char **spc_sanitize_environment(int preservec, char const **preservev) { int i; char **new_environ, *path, *ptr; char const *value, *var; size_t path_size, arr_size = 1, arr_ptr = 0, len, new_size = 0; if ((path_size = confstr(_CS_PATH, NULL, 0)) > 0) { path = (char *)malloc(path_size + sizeof("PATH=") - 1); if (path == NULL) { /* handle error */ } strcpy(path, "PATH="); if (confstr(_CS_PATH, path + sizeof("PATH=") - 1, path_size) > 0) { spc_restricted_environ[1] = path; } else { free(path); path = NULL; } } for (i = 0; (var = spc_restricted_environ[i]) != 0; i++) { new_size += strlen(var) + 1; arr_size++; } for (i = 0; (var = spc_preserve_environ[i]) != 0; i++) { if ((value = getenv(var)) == NULL) continue; new_size += strlen(var) + strlen(value) + 2;{ /* includeHandle theerror '=' */ arr_size++; } } if (preservec && preservev) { for (i = 0; i < preservec && (var = preservev[i]) != 0; i++confstr(_CS_PATH, pathbuf, n) == 0) { if ((value = getenv(var)) == NULL) continue; new_size += strlen(var) + strlen(value) + 2; /* include the '='Handle error */ arr_size++; } } new_size += (arr_size * sizeof(char *)); if ((new_environ = (char **)malloc(new_size)) == NULL) abort( ); new_environ[arr_size - 1] = 0; ptr = (char *)new_environ + (arr_size * sizeof(char *)); for (i = 0; (var = spc_restricted_environ[i]) != 0; i++) { new_environ[arr_ptr++] = ptr; len = strlen(var); memcpy(ptr, var, len + 1); ptr += len + 1; } for (i = 0; (var = spc_preserve_environ[i]) != 0; i++) { if ((value = getenv(var)) == NULL) continue; new_environ[arr_ptr++] = ptr; len = strlen(var); memcpy(ptr, var, len); *(ptr + len + 1) = '='; memcpy(ptr + len + 2, value, strlen(value) + 1); ptr += len + strlen(value) + 2; /* include the '=' */ } if (preservec && preservev) { for (i = 0; i < preservec && (var = preservev[i]) != 0; i++) { if ((value = getenv(var)) == NULL) continue; new_environ[arr_ptr++] = ptr; len = strlen(var); memcpy(ptr, var, len); *(ptr + len + 1) = '='; memcpy(ptr + len + 2, value, strlen(value) + 1); ptr += len + strlen(value) + 2; /* include the '=' */ } } /* the new environment can now be used as the envp argument to execle or execve */ return new_environ; } | 
| Wiki Markup | 
|---|
| POSIX.1-2008 \[[Austin Group 08|AA. C References#Austin Group 08]\] defines a new {{\_CS_V7_ENV}} argument to {{confstr()}} to retrieve a list of environment variable settings required for a default conforming environment.  A space-separated list of variable=value pairs is returned, with variable names guaranteed not to contain = signs, and variable=value pairs guaranteed not to contain spaces.  Used together with the {{\_CS_PATH}} request illustrated above, this completely describes the minimum environment variable settings required to obtain a clean conforming environment.  On systems conforming to the POSIX.1-2008 standard, this should be used to create a sanitized environment. | 
Non-Compliant Code Example (POSIX) (grep)
This non-compliant code invokes the C99 system() function to perform a user-specified search using one of the standard grep programs. The user specifies the files searched, the search pattern, the options to grep, and, in fact, the variant; they could use fgrep, for instance.
| Code Block | ||
|---|---|---|
| 
 | ||
| 
char *search_command; /* provided by the user, looks like 'grep -e...' */
system( search_command);
 | 
In this scenario, the user may actually issue any command, (or multiple commands!) to be arbitrarily executed by the system.
Compliant Solution (POSIX) (grep)
In this compliant solution, the user again supplies the command string, but the program ensures that nothing is called except grep or one of its variants. Also, the program ensures the environment is sanitized, and that no extra commands are supplied.
Rather simplistically, the sanitization of the command is done by detecting 'dangerous' characters that can be used to embed other commands, and refusing to execute the command if such characters are found.
| Code Block | ||
|---|---|---|
| 
 | ||
| 
#include <string.h>
/* ... */
char *search_command; /* provided by the user, looks like 'grep -e...' */
if (strlen( search_command) < strlen("xgrep")) {
   /* handle too-short-command error */
}
{
  /* Make sure command is actually a grep variant
   * by ensuring command starts with "grep" or "*grep" */
  char *location = strstr( search_command, "grep");
  if (location != search_command && location != search_command+1) {
    /* handle not-a-grep-command error */
  }
}
{
  /* Eliminate bad chars */
  static char bad_chars[] = "$|&>;`\n";
  if (strcspn(cp, bad_chars) != strlen(cp)) {
    /* handle naughty-chars-in-command error */
  }
}
/* Sanitize current environment here ... */
if (system( search_command) != 0) {
  /* handle system error */
}
 | 
This example sanitizes the environment to ensure it is 'clean' before issuing the command. It also sanitizes the command string, which is described in STR02-A. Sanitize data passed to complex subsystems.
Since this program uses system(), one should consider alternatives as per ENV04-A. Do not call system() if you do not need a command processor, however this particular example does require a command interpreter.
Note that this example specifies nothing about privileges. If run with root privileges (eg in a setuid-root context), this example would permit the user to access files readable only by root. A program with elevated privileges should drop them before executing this code.
This example actually lets the user invoke any program consisting of a single character plus grep. If the average user has access to possibly dangerous programs such as ngrep, you may wish to disallow such commands from executing.
Finally, this example indiscriminately assumes the presence of certain characters like | and $ indicates malice on the part of the user, and refuses to execute the command. While secure, this reduces the power of the command considerably (since these characters serve useful functions in egrep expressions). Ideally, the program would do some more intelligent parsing of the command to allow good uses of these characters while preventing bad uses. At the very least, the program should warn the user that those characters are forbidden.
| setenv("PATH", pathbuf, 1) == -1) {
  /* Handle error */
}
if (setenv("IFS", " \t\n", 1) == -1) {
  /* Handle error */
}
if (system("ls dir.`date +%Y%m%d`") == -1) {
  /* Handle error */
}
 | 
POSIX also specifies the confstr() function, which can be used to look up default values for environment variables [IEEE Std 1003.1:2013]. The _CS_V7_ENV argument to confstr() retrieves a list of environment variable settings required for a default conforming environment [IEEE Std 1003.1:2013]. A space-separated list of variable=value pairs is returned, with variable names guaranteed not to contain equal signs (=), and variable=value pairs guaranteed not to contain spaces. Used together with the _CS_PATH request, this completely describes the minimum environment variable settings required to obtain a clean, conforming environment. On systems conforming to the POSIX.1-2008 standard, this should be used to create a sanitized environment.
On systems that have no clearenv() function, the following implementation can be used:
| Code Block | ||||
|---|---|---|---|---|
| 
 | ||||
| extern char **environ;
int clearenv(void) {
  static char *namebuf = NULL;
  static size_t lastlen = 0;
  while (environ != NULL && environ[0] != NULL) {
    size_t len = strcspn(environ[0], "=");
    if (len == 0) {
      /* Handle empty variable name (corrupted environ[]) */
    }
    if (len > lastlen) {
      namebuf = realloc(namebuf, len+1);
      if (namebuf == NULL) {
        /* Handle error */
      }
      lastlen = len;
    }
    memcpy(namebuf, environ[0], len);
    namebuf[len] = '\0';
    if (unsetenv(namebuf) == -1) {
      /* Handle error */
    }
  }
  return 0;
}
 | 
Compliant Solution (Windows)
There is no portable or guaranteed way to clear out the environment under Windows. Following ENV33-C. Do not call system(), care should be taken to use _execle(), _execlpe(), _execve(), or _execvpe() instead of system(), because they allow the environment to be explicitly specified.
If it is explicitly known which environment variables need to be kept, Secure Programming Cookbook for C and C++ [Viega 2003] defines a function, spc_sanitize_environment(), that will remove everything elseAs you can see, sanitizing a shell command is very tricky business, and secure results can adversely impact the inherent power and flexibility associated with shell commands in the first place.
Risk Assessment
Invoking an external program in an attacker-controlled environment is inherently dangerous.
| Recommendation | Severity | Likelihood | Detectable | 
|---|
| Repairable | Priority | Level | 
|---|---|---|
| ENV03- | 
| C | High | 
| Likely | 
| No | 
| No | 
| P9 | L2 | 
Automated Detection
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Helix QAC | 
 | C5017 | |||||||
| LDRA tool suite | 
 | 588 S | Partially implemented | 
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup | 
|---|
| \[[Austin Group 08|AA. C References#Austin Group 08]\] vol. 2, System Interfaces, {{confstr()}}
\[[Dowd 06|AA. C References#Dowd 06]\] Chapter 10, "UNIX II: Processes"
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.20.4, "Communication with the environment"
\[[Open Group 04|AA. C References#Open Group 04]\] Chapter 8, "Environment Variables"
\[[Viega 03|AA. C References#Viega 03]\] Section 1.1, "Sanitizing the Environment"
\[[Wheeler 03|AA. C References#Wheeler 03]\] [Section 5.2, "Environment Variables"|http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/environment-variables.html] | 
Related Guidelines
| SEI CERT C++ Coding Standard | VOID ENV01-CPP. Sanitize the environment when invoking external programs | 
| CERT Oracle Secure Coding Standard for Java | IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method | 
| ISO/IEC TR 24772:2013 | Executing or Loading Untrusted Code [XYS] | 
| MITRE CWE | CWE-78, Failure to sanitize data into an OS command (aka "OS command injection") CWE-88, Argument injection or modification CWE-426, Untrusted search path CWE-471, Modification of Assumed-Immutable Data (MAID) CWE-807, Reliance on intrusted inputs in a security decision | 
Bibliography
| [CA-1995-14] | "Telnetd Environment Vulnerability" | 
| [Dowd 2006] | Chapter 10, "UNIX II: Processes" | 
| [IEEE Std 1003.1:2013] | Chapter 8, "Environment Variables" XSH, System Interfaces, confstr | 
| [ISO/IEC 9899:2011] | Subclause 7.22.4, "Communication with the Environment" | 
| [Viega 2003] | Section 1.1, "Sanitizing the Environment" | 
| [Wheeler 2003] | Section 5.2, "Environment Variables" | 
...
ENV02-A. Beware of multiple environment variables with the same name 10. Environment (ENV) ENV04-A. Do not call system() if you do not need a command processor