...
If the command string passed to system(), popen(), or other function that invokes a command processor is not fully sanitized, the risk of exploitation is high. In the worst case scenario, an attacker can execute arbitrary system commands on the compromised machine with the privileges of the vulnerable process.
Rule | Severity | Likelihood | Detectable | RepairableRemediation Cost | Priority | Level |
|---|---|---|---|---|---|---|
ENV33-C | High | Probable | Yes | NoMedium | P12 | L1 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| stdlib-use-system | Fully checked | ||||||
| Axivion Bauhaus Suite |
| CertC-ENV33 | |||||||
| Clang |
| cert-env33-c | Checked by clang-tidy | ||||||
| CodeSonar |
| BADFUNC.PATH.SYSTEM | Use of system | ||||||
| Compass/ROSE | |||||||||
| Coverity |
| DONT_CALL | Implemented | ||||||
| Cppcheck Premium |
| premium-cert-env33-c | |||||||
| Helix QAC |
| C5018 C++5031 | |||||||
| Klocwork |
| SV.CODE_INJECTION.SHELL_EXEC | |||||||
| LDRA tool suite |
| 588 S | Fully implemented | ||||||
| Parasoft C/C++test |
| CERT_C-ENV33-a | The 'system()' function from the 'stdlib.h' or 'cstdlib' library should not be used with an argument other than '0' (null pointer) | ||||||
| PC-lint Plus |
| 586 | Fully supported | ||||||
| Polyspace Bug Finder |
| Checks for unsafe call to a system function (rule fully covered) | |||||||
| RuleChecker |
| stdlib-use-system | Fully checked | ||||||
| SonarQube C/C++ Plugin |
| S990 | Detects uses of "abort", "exit", "getenv" and "system" from <stdlib.h> |
...