Printable View
It is frequently claimed that the system() function suffers security vulnerabilities. The usual explanation of these security vulnerabilities is that the program can be replaced with a malicious alternative.
I'm just wondering if anybody could explain how this could be used as an exploit in any practical way (assuming the use of an absolute path)? At least on Windows, I'm just not seeing it.Quote:
Originally Posted by Hunter2
Thanks.
say i write some PHP on my site that when you go to it, it says you need something to view my page, let's say a language pack or the next version of flash... so you download it... then my "install" program puts a keyboard logger named "pause.exe" in your system32 folder... there you have it... even if you don't do it, the people using your programs will.
edit: the keylogger example was a bad one... a better example would be some kind of program that opens your drives and writes "you are an idiot" in several new windows all over the screen while playing loud sound bytes... then everybody thinks it's your program and there's not a thing you can do about it except to re-release your program with the code we told you to use in the first place...
If you can write to my system32 folder, you own my machine. Replacing pause.exe would be well down the list on malicious things to do.Quote:
say i write some PHP on my site that when you go to it, it says you need something to view my page, let's say a language pack or the next version of flash... so you download it... then my "install" program puts a keyboard logger named "pause.exe" in your system32 folder... there you have it... even if you don't do it, the people using your programs will.
While that's true, a prankster might find it an amusing joke to pull - especially if the object was to teach a friend to avoid the use of system() calls ;)
Anyway, does a .com file even have to be in the system32 folder to be executed automatically? My understanding was that a command without a path will search and execute, roughly in this order:
1) Check the local directory for .com, .exe, .bat
2) Check if any such file is present in any of the PATH locations
3) Check to see if any such .COM files are present on the computer (checking from the system folders first of course)
If (3) is true, then it shouldn't matter where it is placed, and the malicious file will be run anyway.
I'm glad Hunter pointed that out. Indeed you would only need to put your "evil" pause.exe in the same folder as the program executing system("pause").
>> I'm glad Hunter pointed that out. Indeed you would only need to put your "evil" pause.exe in the same folder as the program executing system("pause"). <<
If you could do that, you could just replace the original program!
I don't think number 3 occurs, but there is a chance you could have a problem with number 2 which is why I mentioned using an absolute path.Quote:
1) Check the local directory for .com, .exe, .bat
2) Check if any such file is present in any of the PATH locations
3) Check to see if any such .COM files are present on the computer (checking from the system folders first of course)
>>If you could do that, you could just replace the original program!
That still doesn't eliminate the 'educational prank' possibility :D
Still, perhaps autoexec.bat isn't protected as a system file. Then you could add a PATH line, so you wouldn't need access to any system folder, and ANY program without an explicit path in their system() call would execute it.
I imagine that an absolute path *might* eliminate the security vulnerability, but then you'd be relying on the assumption that 'pause.exe' resides at the path that you've just hardcoded.
you can bet that if microsoft used system("pause"); in any of their programs, there would somebody putting their own "pause.exe" in every windows user's computer... now they have thousands of passwords and it takes ms another week to release a patch for that...Quote:
Originally Posted by anonytmouse
not that microsoft would do that (because they know this is already a vulnerability that would look really bad if exploited in one of their programs), but I think you get the point.
I get your point that on a small scale, with more educated users, there isn't much of a problem, but if you want to get anywhere with programming, one of the biggest buzzwords around is security, and that is one big breach that can be easily exploited.
besides the whole security breach thing, it's also considered bad practice because you're getting another program to do the dirty work for you...
If someone can alter your autoexec.bat, thay can just add their program at startup. No need to mess with the PATH variable.Quote:
Still, perhaps autoexec.bat isn't protected as a system file. Then you could add a PATH line, so you wouldn't need access to any system folder, and ANY program without an explicit path in their system() call would execute it.
As mentioned, if someone can replace pause, they own your computer.Quote:
you can bet that if microsoft used system("pause"); in any of their programs, there would somebody putting their own "pause.exe" in every windows user's computer...
If it is so easy, could you tell me how it could be exploited?Quote:
I get your point that on a small scale, with more educated users, there isn't much of a problem, but if you want to get anywhere with programming, one of the biggest buzzwords around is security, and that is one big breach that can be easily exploited.
[edit]
There is a possibility of a serious vulnerability if system() is used improperly with data provided from an untrusted user, similar to a SQL injection vulnerability. Maybe this is where the "don't use system()" advice originated.
Other methods of launching a program may not use a command interpretor and therefore may be slighly safer when launching a command with user supplied data.
I'm not [edit]totally ;)[/edit] backing down, I still see no meaningful security vulnerability when running a program with system() and no user supplied data, such as system("C:\\windows\\system32\\notepad.exe"). However, I can see why it is probably a good idea to advise people to avoid system(), at least to those who do not know how to use it safely. Just like it is a good idea to advise people to avoid goto until they can use it responsibly.
[/note]
Guidelines for using system() safely
- Be very careful or avoid passing data from an untrusted user to the system() function.
- Use an absolute path.
On windows, pause is implemented by the command interpreter, so that pause("pause") is inherently safe, but pause("pause.com") may not be (fails the absolute path requirement).
Damn and blast! I think I've just largely destructed my own argument.
[/edit]
P.S. Maybe this thread should be added to the FAQ forum.