Many programs and libraries, including the shared library loader on both UNIX and Windows systems, depend on environment variable settings. Because environment variables are inherited from the parent process when a program is executed, an attacker can easily sabotage variables, causing a program to behave in an unexpected and insecure manner \[[Viega 2003|AA. Bibliography#Viega 03]\]. |
All programs, particularly those running with higher privileges than the caller (such as those with setuid/setgid
flags), should treat their environment as untrusted user input. Because the environment is inherited by processes spawned by calls to the fork()
, system()
, or exec()
functions, it is important to verify that the environment does not contain any values that can lead to unexpected behavior.
The best practice for such programs is to
system()
. (See recommendation ENV04-C. Do not call system() if you do not need a command processor.)This rule is a more specific instance of recommendation STR02-C. Sanitize data passed to complex subsystems.
C99 states that, "the set of environment names and the method for altering the environment list are implementation-defined." Consequently, it is important to understand which functions are available for clearing, modifying, and looking up default values for environment variables. Because some programs may behave in unexpected ways when certain environment variables are not set, it is important to understand which variables are necessary on your system and what are safe values for them.
ls
)This noncompliant code example invokes the C99 system()
function to execute the /bin/ls
program. The C99 system()
function passes a string to the command processor in the host environment to be executed.
if (system("/bin/ls dir.`date +%Y%m%d`") == -1) { /* Handle error */ } |
Although IFS
does not affect the command portion of this string, /bin/ls
, it does determine how the argument is built after calling date. If the default shell does not ignore the incoming value of the IFS
environment value, and an attacker sets IFS
to "."
, the intended directory will not be found.
ls
)The nonstandard function clearenv()
may be used to clear out the environment where available: otherwise, it can be cleared by obtaining the environment variable names from environ
and removing each one using unsetenv()
.
In this compliant solution, the environment is cleared by clearenv()
, and then the PATH
and IFS
variables are set to safe values before system()
is invoked. Sanitizing a shell command can be difficult and doing so can adversely affect the power and flexibility associated with them.
char *pathbuf; size_t n; if (clearenv() != 0) { /* Handle error */ } n = confstr(_CS_PATH, NULL, 0); if (n == 0) { /* Handle error */ } if ((pathbuf = malloc(n)) == NULL) { /* Handle error */ } if (confstr(_CS_PATH, pathbuf, n) == 0) { /* Handle error */ } if (setenv("PATH", pathbuf, 1) == -1) { /* Handle error */ } if (setenv("IFS", " \t\n", 1) == -1) { /* Handle error */ } if (system("ls dir.`date +%Y%m%d`") == -1) { /* Handle error */ } |
POSIX also specifies the {{confstr()}} function, which can then be used to look up default values for environment variables \[[Open Group 2004|AA. Bibliography#Open Group 04]\]. POSIX.1-2008 defines a new {{\_CS_V7_ENV}} argument to {{confstr()}} to retrieve a list of environment variable settings required for a default conforming environment \[[Austin Group 2008|AA. Bibliography#Austin Group 08]\]. A space-separated list of {{variable=value}} pairs is returned, with variable names guaranteed not to contain equal signs (=), and {{variable=value}} pairs guaranteed not to contain spaces. Used together with the {{\_CS_PATH}} request, this completely describes the minimum environment variable settings required to obtain a clean, conforming environment. On systems conforming to the POSIX.1-2008 standard, this should be used to create a sanitized environment. |
On systems that have no clearenv()
function, the following implementation can be used:
extern char **environ; int clearenv(void) { static char *namebuf = NULL; static size_t lastlen = 0; while (environ != NULL && environ[0] != NULL) { size_t len = strcspn(environ[0], "="); if (len == 0) { /* Handle empty variable name (corrupted environ[]) */ } if (len > lastlen) { namebuf = realloc(namebuf, len+1); if (namebuf == NULL) { /* Handle error */ } lastlen = len; } memcpy(namebuf, environ[0], len); namebuf[len] = '\0'; if (unsetenv(namebuf) == -1) { /* Handle error */ } } return 0; } |
There is no portable or guaranteed way to clear out the environment under Windows. Following recommendation ENV04-C. Do not call system() if you do not need a command processor, care should be taken to use _execle()
, _execlpe()
, _execve()
, or _execvpe()
instead of system()
, because they allow the environment to be explicitly specified.
If it is explicitly known which environment variables need to be kept, \[[Viega 2003|AA. Bibliography#Viega 03]\] defines a function, {{spc_sanitize_environment()}}, that will remove everything else. |
Invoking an external program in an attacker-controlled environment is inherently dangerous.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
ENV03-C |
high |
likely |
high |
P9 |
L2 |
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
CERT C++ Secure Coding Standard: ENV03-CPP. Sanitize the environment when invoking external programs
The CERT Oracle Secure Coding Standard for Java: IDS06-J. Do not pass untrusted, unsanitized data to the Runtime.exec() method
ISO/IEC 9899:1999 Section 7.20.4, "Communication with the environment"
ISO/IEC PDTR 24772 "XYS Executing or Loading Untrusted Code"
MITRE CWE: CWE-426, "Untrusted Search Path"
MITRE CWE: CWE-88, "Argument Injection or Modification"
MITRE CWE: CWE-78, "Failure to Sanitize Data into an OS Command (aka 'OS Command Injection')"
MITRE CWE: CWE-807, "Reliance on Untrusted Inputs in a Security Decision"
\[[Austin Group 2008|AA. Bibliography#Austin Group 08]\] Vol. 2, System Interfaces, {{confstr()}} \[[CA-1995-14|http://www.cert.org/advisories/CA-1995-14.html]\] "Telnetd Environment Vulnerability" \[[Dowd 2006|AA. Bibliography#Dowd 06]\] Chapter 10, "UNIX II: Processes" \[[Open Group 2004|AA. Bibliography#Open Group 04]\] Chapter 8, "Environment Variables", and [{{confstr()}}|http://www.opengroup.org/onlinepubs/009695399/functions/confstr.html] \[[Viega 2003|AA. Bibliography#Viega 03]\] Section 1.1, "Sanitizing the Environment" \[[Wheeler 2003|AA. Bibliography#Wheeler 03]\] [Section 5.2, "Environment Variables"|http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/environment-variables.html] |
10. Environment (ENV) ENV04-C. Do not call system() if you do not need a command processor