View Help Online

Start here

Home
About Klocwork
What's new
Fixed issues
Release notes
Installation

Reference

C/C++ checkers
Java checkers
C# checkers
MISRA C 2004 checkers
MISRA C++ 2008 checkers
MISRA C 2012 checkers
MISRA C 2012 checkers with Amendment 1
Commands
Metrics
Troubleshooting
Reference

Product components

C/C++ Integration build analysis
Java Integration build analysis
Desktop analysis
Refactoring
Klocwork Static Code Analysis
Klocwork Code Review
Structure101
Tuning
Custom checkers

Coding environments

Visual Studio
Eclipse for C/C++
Eclipse for Java
IntelliJ IDEA
Other

Administration

Project configuration
Build configuration
Administration
Analysis performance
Server performance
Security/permissions
Licensing
Klocwork Static Code Analysis Web API
Klocwork Code Review Web API

Community

View help online
Visit RogueWave.com
Klocwork Support
Rogue Wave Videos

Legal

Legal information

SV.CODE_INJECTION.SHELL_EXEC

Command injection vulnerability

When the system() or popen() function is used with externally-influenced input, it's possible for a malicious user to inject a string and execute arbitrary commands and code with the privileges of the attacked process. For example, an attacker could inject a semi-colon to end one command and insert a new, unrelated command for execution.

Vulnerability and risk

A system() or popen() call that's vulnerable to command injection can result in

  • execution of malicious code
  • creation of a new user account to access a compromised system
  • arbitrary command execution with a higher privilege level than the standard user

In a worst-case scenario, an attacker could inject a string that takes control of the system, and for instance, delete the contents of the root partition.

Mitigation and prevention

To avoid this issue, it's best to

  • use only constant strings with a system call
  • add validation code before command execution
  • use library calls rather than external processes
  • use whitelist rather than blacklist input validation
  • use the exec family of functions to run external executables
  • make sure any external executable can't be written by the user
  • implement functionality directly in the program with calls to existing libraries

Vulnerable code example


1  char *constbuf = "bash";
2  int main()
3  {
4       char buf[100];
5       scanf("%s",buf);
6       system("echo \"constant string: no warning\"");
7  
8       system(constbuf);
9       system(buf);
10      popen("echo OK","r");
11      popen(constbuf, "r");
12      popen(buf, "r");
13      return 0;
14 
15 }

In this example, Klocwork produces an issue report at line 9 indicating that system() function may accept a command line that can be influenced by the user, causing the execution of arbitrary code. A similar warning is reported for function popen() at line 12. In either of these cases, an attacker could inject commands to execute malicious code, even to the extent of taking control of the system or deleting the root partition. The system function calls in lines 6 and 8 use a constant string and a library call as arguments, so they aren't open to the possibility of code injection and aren't flagged.

Related checkers

External guidance

Parent topic: Suspicious code practices
Previous topic: SEMICOL
Next topic: SV.FIU.PROCESS_VARIANTS

© Rogue Wave Software, Inc. All rights reserved. | Contact