The following simple program accepts a filename as a command line argument and
displays the contents of the file back to the user. The program is installed setuid root
because it is intended for use as a learning tool to allow system administrators
in-training to inspect privileged system files without giving them the ability to modify
them or damage the system. int main(char* argc, char** argv) {
char cmd[CMD_MAX] = "/usr/bin/cat ";
strcat(cmd, argv[1]);
system(cmd);
} Because the program runs with root privileges, the call to system() also executes
with root privileges. If a user specifies a standard filename, the call works as expected.
However, if an attacker passes a string of the form ";rm -rf /", then the call to system()
fails to execute cat due to a lack of arguments and then plows on to recursively delete
the contents of the root partition.
The following code is from an administrative web application designed allow users to
kick off a backup of an Oracle database using a batch-file wrapper around the rman utility
and then run a cleanup.bat script to delete some temporary files. The script rmanDB.bat
accepts a single command line parameter, which specifies what type of backup to perform.
Because access to the database is restricted, the application runs the backup as a
privileged user. ...
String btype = request.getParameter("backuptype");
String cmd = new String("cmd.exe /K
\"c:\\util\\rmanDB.bat "+btype+"&&c:\\utl\\cleanup.bat\"")
System.Runtime.getRuntime().exec(cmd);
... The problem here is that the program does not do any validation on the backuptype
parameter read from the user. Typically the Runtime.exec() function will not execute
multiple commands, but in this case the program first runs the cmd.exe shell in order to
run multiple commands with a single call to Runtime.exec(). Once the shell is invoked, it
will happily execute multiple commands separated by two ampersands. If an attacker passes
a string of the form "& del c:\\dbms\\*.*", then the application will execute this
command along with the others specified by the program. Because of the nature of the
application, it runs with the privileges necessary to interact with the database, which
means whatever command the attacker injects will run with those privileges as well.
The following code from a system utility uses the system property APPHOME to
determine the directory in which it is installed and then executes an initialization
script based on a relative path from the specified directory. ...
String home = System.getProperty("APPHOME");
String cmd = home + INITCMD;
java.lang.Runtime.getRuntime().exec(cmd);
... The code above allows an attacker to execute arbitrary commands with the elevated
privilege of the application by modifying the system property APPHOME to point to a
different path containing a malicious version of INITCMD. Because the program does not
validate the value read from the environment, if an attacker can control the value of the
system property APPHOME, then they can fool the application into running malicious code
and take control of the system.
The following code is from a web application that allows users access to an interface
through which they can update their password on the system. Part of the process for
updating passwords in certain network environments is to run a make command in the /var/yp
directory, the code for which is shown below. ...
System.Runtime.getRuntime().exec("make");
... The problem here is that the program does not specify an absolute path for make and
fails to clean its environment prior to executing the call to Runtime.exec(). If an
attacker can modify the $PATH variable to point to a malicious binary called make and
cause the program to be executed in their environment, then the malicious binary will be
loaded instead of the one intended. Because of the nature of the application, it runs with
the privileges necessary to perform system operations, which means the attacker's make
will now be run with these privileges, possibly giving the attacker complete control of
the system.
The following code is a wrapper around the UNIX command cat which prints the contents
of a file to standard out. It is also injectable: C Example: #include <stdio.h>
#include <unistd.h>
int main(int argc, char **argv) {
char cat[] = "cat ";
char *command;
size_t commandLength;
commandLength = strlen(cat) + strlen(argv[1]) + 1;
command = (char *) malloc(commandLength);
strncpy(command, cat, commandLength);
strncat(command, argv[1], (commandLength - strlen(cat)) );
system(command);
return (0);
} Used normally, the output is simply the contents of the file requested: $
./catWrapper Story.txt When last we left our heroes... However, if we add a semicolon and
another command to the end of this line, the command is executed by catWrapper with no
complaint: $ ./catWrapper Story.txt; ls When last we left our heroes... Story.txt
doubFree.c nullpointer.c unstosig.c www* a.out* format.c strlen.c useFree* catWrapper*
misnull.c strlength.c useFree.c commandinjection.c nodefault.c trunc.c writeWhatWhere.c If
catWrapper had been set to have a higher privilege level than the standard user, arbitrary
commands could be executed with that higher privilege. | 
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated
