# Press a key

This is a discussion on Press a key within the C++ Programming forums, part of the General Programming Boards category; Why system() is risky? It sends a command to system, how can it be a security risk?...

1. Why system() is risky? It sends a command to system, how can it be a security risk?

2. Because the program it calls can be replaced by a malicious one with the same name. Say you call:

Code:
system ("clear");
On a UNIX / Linux box. clear is a program. It can therefore be replaced by another, malicious program also called "clear" and your program would be none the wiser.

EDIT: Did you even bother reading the FAQ article?

4. I read it. But no code can replace system commands at least in winXP.
Go to command prompt in WinXP and write pause, it asks you to press a key to continue. Now copy an exe file to C: and rename it to "pause.exe". Again write pause, it asks you to press a key again(NO DIFFERENCE). But if you write pause.exe, it will execute the file.

5. Originally Posted by siavoshkc
I read it. But no code can replace system commands at least in winXP.
Go to command prompt in WinXP and write pause, it asks you to press a key to continue. Now copy an exe file to C: and rename it to "pause.exe". Again write pause, it asks you to press a key again(NO DIFFERENCE). But if you write pause.exe, it will execute the file.
That's because the system programs aren't stored in C:\, genius. There is a way under XP: threads & processes, just like in UNIX. You'll have to look it up yourself - all I know is it involves the header "process.h", iirc.

6. This is because 'pause' is not an executable that the system searches for, but rather a feature of the win32 console. If you were to instead, for example while looking for network statistics, run something like:

Code:
system("netstat");
Then I would exploit the fact that the system searches the current directory for the netstat module before searching the system directory ::GetSystemDirectory(..), and I would put my own netstat.exe in the current directory and run evil code.

7. ## beautiful system()

if you're using MS VC++6, system is defined in header <stdlib.h> and you're using some form of windows too (dumb point but better safe than sorry - imagine MS VC++ for Unix!!?)

what it does? lots!!!

go in to start menu -> run: cmd.exe (or command.exe - i'm not sure if its version specific). this will load the windows command line interface or shell, which is most commonlly thought of as MS-DOS. it should look just like your console program

try typing pause.

system ("pause");

run it - see any similarity?

the system () is a cheap and easy way to do lots of things that are not so often as easy in C/C++. it allows you to use shell commands in your own program, and there are a lot of them! the syntax is as above, just remember the quotation marks! a personal favorite of mine is system ("cls"); clears the console of all text - no need for a custom function. another good one is system ("color (hex_number)"); changes the *colour formatting of the console. type in color -ls into the shell to see how it works.

sounds cool!!? thought so. why haven't you been told!!? cos its not as cool as it looks...

system () is generally frowned upon by serious programmers because as a previous post said,

"system() hands control over to the program it calls "

an example of this is to use it to open a text file or some program. save your executable in a specific directory and create a text file with something in it, in the same directory.

in the middle of your code, call

system ("something.txt");

you should see notepad open up, but your program is stalled in its place - it waits for the shell to return control to the program. close the text file, and your program resumes! it is also important that the item your are opening is in the same directory as your executable, i don't know how to change the path that it looks for it in just yet, but i'm not particularly concerned.

here's a link to a microsoft site that has a load of shell commands for windows xp, most are common to earlier editions as well:

http://www.microsoft.com/resources/d...us/ntcmds.mspx

Have fun tinkering with the system from the inside!

* i am aware that i spelled colour here, that is how it is spelt in european (i.e. original) english. windows was written with american english or just "american," as they like to think of their dialect as a unique language! no offence meant to anyone from america, great place and all but you're all a bunch of jackasses if y'all think y'all can come up with a new language by changing a few spellings from an older one! i've had my rant, now i'll leave before i get a lynch mob after me!

8. it took me way too long to type that!

9. It is obvious that system() is not secure. But system commands are something different. How can the cls command be replaced by another program? For example when I write cls in console mode foo.exe executes instead of clearing the screen.

10. Originally Posted by siavoshkc
For example when I write cls in console mode foo.exe executes instead of clearing the screen.
Code:
ren foo.exe cls.exe
Simple isn't it ?
Kurt

11. >>Simple isn't it ?

If you do it and write cls, windows executes CLS command, not cls.exe.

Simple?

12. Ok. It's not that easy replacing cls. cls seems to be an internal command of cmd.exe. so cmd.exe would have to be repalced as well.
Kurt

13. Exactly!

14. Originally Posted by siavoshkc
Exactly!
Ok. You won. Using system() must be safe.

15. > How can the cls command be replaced by another program?
http://msdn.microsoft.com/library/de..._._wsystem.asp
Wherein, it says
The system function passes command to the command interpreter, which executes the string as an operating-system command. system refers to the COMSPEC and PATH environment variables that locate the command-interpreter file (the file named CMD.EXE in Windows NT). If command is NULL, the function simply checks to see whether the command interpreter exists.
It really doesn't matter what you put between the quotes, because if someone has done
COMSPEC=myhack.exe
or
PATH=C:\path\to\my\cmdexe;C:\windows\system
Then the program you end up running is not the cmd.exe you thought you were running.

Or even more legitimately, say people who prefer to use bash.exe in cygwin as their shell because its a far more capable shell than cmd.exe.

Sure, you can argue if you want that "cls" doesn't cause cmd.exe to invoke an external process, but that's hardly the point if you can't be sure that you're running cmd.exe in the first place. Also, as Tonto points out, it's all too easy to develop bad programming habits and slip easily into doing something really stupid later on by using system() when you really shouldn't, simply because of the habit of choosing the easy option in your code.

Page 2 of 3 First 123 Last