The SAMATE Project Department of Homeland Security
Downloads:  Selected

Back to the previous page...Back to the previous page

Test Case IDCandidate11
Bad / GoodBadBad test case
AuthorN/A
Associated test caseN/A
ContributorSecureSoftware
LanguageC
Type of test caseSource Code
Input string$ ./catWrapper Story.txt; ls
Expected OutputN/A
InstructionsN/A
Submission date2005-10-27
DescriptioniconCommand injection problems are a subset of injection problem, in which the process is tricked into calling external processes of the attackers choice through the injection of control-plane data into the data plane. (from TCCLASP-5_2_25_10)
Filename
Flaw
  • (?) CWE-078: Failure to Sanitize Data into an OS Command (OS Command Injection) at line 15

There is no comments :: Submit a comment :: RSS

>./Command_injection.c
  1. /* The following code is wrapper around the UNIX command cat which prints the
  2. contents of a file to standard out. It is also injectable:
  3. */
  4.  
  5. #include <stdio.h>
  6. #include <unistd.h>
  7. int main(int argc, char **argv) {
  8. char cat[] = "cat ";
  9. char *command;
  10. size_t commandLength;
  11. commandLength = strlen(cat) + strlen(argv[1]) + 1;
  12. command = (char *) malloc(commandLength);
  13. strncpy(command, cat, commandLength);
  14. strncat(command, argv[1], (commandLength - strlen(cat)) );
  15. system(command);
  16. return (0);
  17. }
  18.  
  19.  
  20.  
  21. /* Used normally, the output is simply the contents of the file requested:
  23. $ ./catWrapper Story.txt
  24. When last we left our heroes...
  26. However, if we add a semicolon and another command to the end of this line,
  27. the command is executed by catWrapper with no complaint:
  29. $ ./catWrapper Story.txt; ls
  30. When last we left our heroes...
  31. Story.txt doubFree.c nullpointer.c
  32. unstosig.c www* a.out*
  33. format.c strlen.c useFree*
  34. catWrapper* misnull.c strlength.
  35. c useFree.c commandinjection.c
  36. nodefault.c trunc.c writeWhatWhere.c
  38. If catWrapper had been set to have a higher privilege level than the standard
  39. user, arbitrary commands could be executed with that higher privilege
  40. */