patterncModerate
C system() function vulnerability
Viewed 0 times
vulnerabilitysystemfunction
Problem
Suppose we have the following program:
Is it possible for a user to cause this program to execute arbitrary commands?
#include
#include
int main()
{
char *user = getenv("USER");
char buffer[4096];
if (user) {
snprintf(buffer, sizeof buffer, "/bin/echo %s", user);
system(buffer);
}
return 0;
}Is it possible for a user to cause this program to execute arbitrary commands?
Solution
If this is actually in live code somewhere, then whomever wrote it should be forced to write I will never call
system on tainted user input again 1 googol times with a dull pencil. Yes. As written, this code contains an exploit. Here's a simple example.tmp$ cat foo.c
#include
#include
int
main() {
char *user = getenv("USER");
char buffer[4096];
if (user) {
snprintf(buffer, sizeof buffer, "/bin/echo %s", user);
printf("running %s\n", buffer);
system(buffer);
}
return 0;
}
tmp$ gcc foo.c
tmp$ mkdir /tmp/xxx
tmp$ ls -ld /tmp/xxx
drwxr-xr-x 2 daveshawley users 68 Nov 30 22:25 /tmp/xxx/
tmp$ USER='foo; rm -fr /tmp/xxx' ./a.out
running /bin/echo foo; rm -fr /tmp/xxx
foo
tmp$ ls -ld /tmp/xxx
ls: /tmp/xxx: No such file or directory
tmp$Code Snippets
tmp$ cat foo.c
#include <stdlib.h>
#include <stdio.h>
int
main() {
char *user = getenv("USER");
char buffer[4096];
if (user) {
snprintf(buffer, sizeof buffer, "/bin/echo %s", user);
printf("running %s\n", buffer);
system(buffer);
}
return 0;
}
tmp$ gcc foo.c
tmp$ mkdir /tmp/xxx
tmp$ ls -ld /tmp/xxx
drwxr-xr-x 2 daveshawley users 68 Nov 30 22:25 /tmp/xxx/
tmp$ USER='foo; rm -fr /tmp/xxx' ./a.out
running /bin/echo foo; rm -fr /tmp/xxx
foo
tmp$ ls -ld /tmp/xxx
ls: /tmp/xxx: No such file or directory
tmp$Context
StackExchange Code Review Q#6435, answer score: 14
Revisions (0)
No revisions yet.