The security concerns about using third-party contractors may prevent some organizations from using bug hunting tactics.

Detecting command injection flaws (like Shellshock)

on Oct 10, 14 • by Roy Sarkar • with No Comments

In this follow up to our last article about Shellshock, we'll take a look at an example of a command injection flaw and see how Klocwork detects it...

Home » Software Security » Detecting command injection flaws (like Shellshock)

In this follow up to our last article about Shellshock, we’ll take a look at an example of a command injection flaw and see how Klocwork detects it. As a refresher, a command injection flaw is the result of improper or incorrect neutralization of elements that could modify an intended operating system command. The Shellshock flaw falls under this as Bash doesn’t neutralize string elements declared after a function statement in an environment variable declaration – in fact, it treats the elements as a real command.

Finding the flaw
Klocwork detects a comprehensive set of Common Weakness Enumeration (CWE) vulnerabilities as part of its on-the-fly code analysis and command injection falls under CWE-78. For this CWE ID, Klocwork covers three different scenarios with these checkers:

NNTS.TAINTED – finds code that uses string manipulation functions with character arrays that may not be null terminated, resulting in potential buffer overflows and security problems
SV.CODE_INJECTION.SHELL_EXEC – finds code that accepts command lines that are influenced by external input, resulting in the execution of potentially malicious commands
SV.TAINTED.INJECTION – finds code that doesn’t validate input from the user or outside environment, potentially resulting in the execution of arbitrary commands, unexpected values, or altered control flow

For example, consider the following code in a file called bashed.c:

    #include 

    int main(int argc, char *argv[])
    {
        // Tesstcase 1 of 2
        //
        int ret1 = 0;

        if (argc > 1) {
            ret1 = system(argv[1]);
        }

        // Testcase 2 of 2
        //
        int ret2 = 0;

        char *anything = getenv ("anything");

        if (anything) {
            ret2 = system(anything);
        }

        return ret1 + ret2;
    }

Running kwcheck run on this code from the command line would yield the following results:

bashed.c:10 SV.TAINTED.INJECTION (3:Warning) Analyze
Unvalidated string '*argv' is received from an external function through a call to 'main' at line 3
this can be run as command line through call to 'system' at line 10. User input can be used
to cause arbitrary command execution on the host system. Check strings for length and content
when used for command execution.

bashed.c:20 SV.TAINTED.INJECTION (3:Warning) Analyze
Unvalidated string 'anything' is received from an external function through a call to 'getenv'
at line 17 this can be run as command line through call to 'system' at line 20. User input
can be used to cause arbitrary command execution on the host system. Check strings for
length and content when used for command execution.

bashed.c:10 SV.CODE_INJECTION.SHELL_EXEC (3:Warning) Analyze
function 'system' possibly accepts command line that may be influenced by user, causing
execution of arbitrary code. Arbitrary commands can be executed by an attacker. Check
the length and content of strings used for command execution. Also there is one similar
error on line 20.

Summary: 3 Local
3 Total Issue(s)

The first two reports, found by the SV.TAINTED.INJECTION checker, indicate that the variables argv and anything are unvalidated and have the potential to be used to execute arbitrary commands. The last report, found by the SV.CODE_INJECTION.SHELL_EXEC checker, warns that the call to system uses input that is potentially influenced by a malicious user. In all cases, Klocwork is advising you of the potential for unintended commands to be executed – a common form of attack by hackers.

Learn more:
• Read about the complete set of security standards that Klocwork supports, including OWASP, CWE, CERT, and DISA
• See the leading challenges driving code security and complexity issues in software today by watching this webinar

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top