Thread: system() vulnerable to a buffer overflow?

  1. #1
    Registered Abuser Loic's Avatar
    Join Date
    Mar 2007
    Location
    Sydney
    Posts
    115

    system() vulnerable to a buffer overflow?

    Hi all, I came across a thread on another forum. And there was a thread about exploiting the “system()” call in C … one person pointed out that it may be vulnerable to a buffer overflow sort of attack. It sounds to me like it could be quite possible, but I wanted to ask people who know a little more about C if there was anything in that? Also if it is possible how would you prevent against it?

    below is the code they posted...
    Code:
    #include <stdio.h>
    
    int main(int argc,char *argv[]) {
     system(argv[1]);
     return 0;
    }

  2. #2
    Registered User
    Join Date
    Oct 2001
    Posts
    2,129
    Has nothing to do with 'system()'.
    Code:
    #include <stdio.h>
    
    int main(int argc,char *argv[]) {
     if (argc >= 2) system(argv[1]);
     return 0;
    }

  3. #3
    Registered User
    Join Date
    Apr 2006
    Posts
    2,149
    Quote Originally Posted by robwhit View Post
    Has nothing to do with 'system()'.
    Code:
    #include <stdio.h>
    
    int main(int argc,char *argv[]) {
     if (argc >= 2) system(argv[1]);
     return 0;
    }
    system(NULL) is well defined, so there is no requirement for the conditional statement.

    The question boils down to, if I understand it correctly, whether there is a possibility that system() will copy the string passed to it at some point to a static sized buffer. I don't know the answer to this question, though I'd guess yes. I'd also guess that that buffer is less than the max size of a command line argument, so this particular example will never fail.
    Last edited by King Mir; 08-07-2008 at 08:53 PM.
    It is too clear and so it is hard to see.
    A dunce once searched for fire with a lighted lantern.
    Had he known what fire was,
    He could have cooked his rice much sooner.

  4. #4
    and the Hat of Guessing tabstop's Avatar
    Join Date
    Nov 2007
    Posts
    14,336
    I suppose you could get a buffer overflow in system. I don't know if the code you posted would do it, since you had to get that string in argv[1] from the OS, so presumably the OS can handle strings of that length. Usually you hear more about someone replacing dir (or whatever you're calling) with something malicious on the target system, so that your program calls the malicious version instead of the system version.

  5. #5
    Registered Abuser Loic's Avatar
    Join Date
    Mar 2007
    Location
    Sydney
    Posts
    115
    Quote Originally Posted by robwhit View Post
    Has nothing to do with 'system()'.
    Code:
    #include <stdio.h>
    
    int main(int argc,char *argv[]) {
     if (argc >= 2) system(argv[1]);
     return 0;
    }
    I have no idea what you are trying to do here... but it dose seem pointless...

  6. #6
    Registered Abuser Loic's Avatar
    Join Date
    Mar 2007
    Location
    Sydney
    Posts
    115
    Quote Originally Posted by tabstop View Post
    I suppose you could get a buffer overflow in system. I don't know if the code you posted would do it, since you had to get that string in argv[1] from the OS, so presumably the OS can handle strings of that length. Usually you hear more about someone replacing dir (or whatever you're calling) with something malicious on the target system, so that your program calls the malicious version instead of the system version.
    mmm ok, so it is possible... but i guess the how, and how to protect against it would be a little bit to in-depth/complex to discuss in this thread...

  7. #7
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    I just had a look at the glibc POSIX implementation here and it DOES NOT copy the argument into a different string before passing it to __execve().

    __execve translates to a Unix/Linux system call directly, so it would behave like the system call itself - and I would presume that it does not have any direct overflow problems on trivial things like "a very long line of input" at the very least - it may well give an error on very long input, but it's unlikely to be a security problem or cause a crash, in my opinion [without looking at the code of SYS_execve() itself].

    Of course, other implementations of system() may behave in other ways, and for a wider scope than glibc, I would make no guarantees whatsoever [but at the same time, I see no reason why anyone would need to copy the string].

    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.

  8. #8
    Registered User
    Join Date
    Jul 2008
    Posts
    133
    Quote Originally Posted by Loic View Post
    mmm ok, so it is possible... but i guess the how, and how to protect against it would be a little bit to in-depth/complex to discuss in this thread...
    And you're just some kiddo trying to pick up something so you can show off to other kids, right? Start learning something or go play with your monkey(s), kiddo...

  9. #9
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    Quote Originally Posted by Loic View Post
    mmm ok, so it is possible... but i guess the how, and how to protect against it would be a little bit to in-depth/complex to discuss in this thread...
    You would have to check that the string isn't longer than what system() would be able to accept. What that limit is would be hard to determine, because it's quite possible that IF there is a buffer overflow problem, it is not detected immediately you go over the limit.

    You could check if it's having some bad effect by creating a large text file [it's easy to create large text files by copying the same text multiple times (e.g. twice) into a new file, then use the new file twice into the original name and so on a few times over], and then calling your program [as examplified above] with "myprog `cat bigtext.txt`" - I expect that anything up to about 0.5-2 GB will work just fine, and above that it will most likely just give some "no memory" error [rather than "command not found" if your text file doesn't contain anything meaningful - but it could be made meaningfull by starting with echo and ending with > /dev/nul].

    A much bigger problem with system() is that you rely on the system's application to do what you want. If you do "system(clear)" for example, it is entirely possibly that the first applicaiton called "clear" that the system finds isn't [only] clearing the display, but doing something that you wouldn't want - e.g. replace "clear" with a shell-script that does "rm -rf *; /bin/clear" -- that would be rather nasty, right?

    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.

  10. #10
    and the hat of sweating
    Join Date
    Aug 2007
    Location
    Toronto, ON
    Posts
    3,545
    Unless we see the original artical that Loic was referring to, we're just shooting in the dark as to what it could be talking about.

    If system() does have it's own array that it copies the argument into, I'm sure any intelligent compiler writers would use strncpy() to copy the cmd string into that array rather than strcpy().

  11. #11
    Registered User
    Join Date
    Oct 2001
    Posts
    2,129
    Quote Originally Posted by King Mir View Post
    system(NULL) is well defined, so there is no requirement for the conditional statement.
    argc is only defined to be non-negative. So then argc[1] might be an overflow.

  12. #12
    Registered Abuser Loic's Avatar
    Join Date
    Mar 2007
    Location
    Sydney
    Posts
    115
    Thanks everyone, you have cleared up everything. I wasn’t to concerned on how to do it. I know that is well over my head. I just wanted to know if it was possible

    Quote Originally Posted by rasta_freak View Post
    And you're just some kiddo trying to pick up something so you can show off to other kids, right? Start learning something or go play with your monkey(s), kiddo...
    Yeah, alright… I’m a kiddo wanting someone to teach me how to be a hax0r… please… don’t waste your time replying to my threads unless you have something constructive to say…

  13. #13
    Registered User
    Join Date
    Mar 2005
    Location
    Mountaintop, Pa
    Posts
    1,058
    Unless we see the original artical that Loic was referring to, we're just shooting in the dark as to what it could be talking about.
    I believe he is referring to an article entitled "The Oldest Trick in the Book" found in the February 2005 issue of Linux Magazine. you'll need a userid/password to access the article.

  14. #14
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    Quote Originally Posted by BobS0327 View Post
    I believe he is referring to an article entitled "The Oldest Trick in the Book" found in the February 2005 issue of Linux Magazine. you'll need a userid/password to access the article.
    Although that only mentions system() in a different context.

    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.

  15. #15
    Registered Abuser Loic's Avatar
    Join Date
    Mar 2007
    Location
    Sydney
    Posts
    115
    Quote Originally Posted by cpjust View Post
    Unless we see the original artical that Loic was referring to, we're just shooting in the dark as to what it could be talking about.
    The thread I read isn’t much more descriptive than my thread here... but fyi this is it exploiting the system() call in c?

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. clear buffer
    By justins in forum C Programming
    Replies: 5
    Last Post: 05-19-2007, 06:16 AM
  2. buffer overflow
    By cpp_is_fun in forum C Programming
    Replies: 2
    Last Post: 10-24-2006, 11:04 PM
  3. Buffer overflow? Won't join channel sometimes -- IRC Bot in C
    By Apocalypse in forum Networking/Device Communication
    Replies: 3
    Last Post: 01-17-2006, 11:00 PM
  4. Replies: 4
    Last Post: 06-13-2005, 09:03 AM
  5. Does anyone Know How to..?
    By kwigibo in forum C Programming
    Replies: 12
    Last Post: 09-20-2001, 08:16 AM