Thread: system() function security vulnerabilities?

  1. #1
    Yes, my avatar is stolen anonytmouse's Avatar
    Join Date
    Dec 2002
    Posts
    2,544

    system() function security vulnerabilities?

    It is frequently claimed that the system() function suffers security vulnerabilities. The usual explanation of these security vulnerabilities is that the program can be replaced with a malicious alternative.
    Quote Originally Posted by Hunter2
    anyone can write a program, name it 'pause.exe' or 'pause.com', and replace the one that came with your computer.
    I'm just wondering if anybody could explain how this could be used as an exploit in any practical way (assuming the use of an absolute path)? At least on Windows, I'm just not seeing it.

    Thanks.

  2. #2
    Registered User major_small's Avatar
    Join Date
    May 2003
    Posts
    2,787
    say i write some PHP on my site that when you go to it, it says you need something to view my page, let's say a language pack or the next version of flash... so you download it... then my "install" program puts a keyboard logger named "pause.exe" in your system32 folder... there you have it... even if you don't do it, the people using your programs will.

    edit: the keylogger example was a bad one... a better example would be some kind of program that opens your drives and writes "you are an idiot" in several new windows all over the screen while playing loud sound bytes... then everybody thinks it's your program and there's not a thing you can do about it except to re-release your program with the code we told you to use in the first place...
    Last edited by major_small; 10-22-2004 at 09:45 AM.
    Join is in our Unofficial Cprog IRC channel
    Server: irc.phoenixradio.org
    Channel: #Tech


    Team Cprog Folding@Home: Team #43476
    Download it Here
    Detailed Stats Here
    More Detailed Stats
    52 Members so far, are YOU a member?
    Current team score: 1223226 (ranked 374 of 45152)

    The CBoard team is doing better than 99.16% of the other teams
    Top 5 Members: Xterria(518175), pianorain(118517), Bennet(64957), JaWiB(55610), alphaoide(44374)

    Last Updated on: Wed, 30 Aug, 2006 @ 2:30 PM EDT

  3. #3
    Yes, my avatar is stolen anonytmouse's Avatar
    Join Date
    Dec 2002
    Posts
    2,544
    say i write some PHP on my site that when you go to it, it says you need something to view my page, let's say a language pack or the next version of flash... so you download it... then my "install" program puts a keyboard logger named "pause.exe" in your system32 folder... there you have it... even if you don't do it, the people using your programs will.
    If you can write to my system32 folder, you own my machine. Replacing pause.exe would be well down the list on malicious things to do.

  4. #4
    Carnivore ('-'v) Hunter2's Avatar
    Join Date
    May 2002
    Posts
    2,879
    While that's true, a prankster might find it an amusing joke to pull - especially if the object was to teach a friend to avoid the use of system() calls

    Anyway, does a .com file even have to be in the system32 folder to be executed automatically? My understanding was that a command without a path will search and execute, roughly in this order:
    1) Check the local directory for .com, .exe, .bat
    2) Check if any such file is present in any of the PATH locations
    3) Check to see if any such .COM files are present on the computer (checking from the system folders first of course)

    If (3) is true, then it shouldn't matter where it is placed, and the malicious file will be run anyway.
    Just Google It. √

    (\ /)
    ( . .)
    c(")(") This is bunny. Copy and paste bunny into your signature to help him gain world domination.

  5. #5
    Banned master5001's Avatar
    Join Date
    Aug 2001
    Location
    Visalia, CA, USA
    Posts
    3,685
    I'm glad Hunter pointed that out. Indeed you would only need to put your "evil" pause.exe in the same folder as the program executing system("pause").

  6. #6
    Yes, my avatar is stolen anonytmouse's Avatar
    Join Date
    Dec 2002
    Posts
    2,544
    >> I'm glad Hunter pointed that out. Indeed you would only need to put your "evil" pause.exe in the same folder as the program executing system("pause"). <<

    If you could do that, you could just replace the original program!

    1) Check the local directory for .com, .exe, .bat
    2) Check if any such file is present in any of the PATH locations
    3) Check to see if any such .COM files are present on the computer (checking from the system folders first of course)
    I don't think number 3 occurs, but there is a chance you could have a problem with number 2 which is why I mentioned using an absolute path.

  7. #7
    Carnivore ('-'v) Hunter2's Avatar
    Join Date
    May 2002
    Posts
    2,879
    >>If you could do that, you could just replace the original program!
    That still doesn't eliminate the 'educational prank' possibility

    Still, perhaps autoexec.bat isn't protected as a system file. Then you could add a PATH line, so you wouldn't need access to any system folder, and ANY program without an explicit path in their system() call would execute it.

    I imagine that an absolute path *might* eliminate the security vulnerability, but then you'd be relying on the assumption that 'pause.exe' resides at the path that you've just hardcoded.
    Just Google It. √

    (\ /)
    ( . .)
    c(")(") This is bunny. Copy and paste bunny into your signature to help him gain world domination.

  8. #8
    Registered User major_small's Avatar
    Join Date
    May 2003
    Posts
    2,787
    Quote Originally Posted by anonytmouse
    If you could do that, you could just replace the original program!
    you can bet that if microsoft used system("pause"); in any of their programs, there would somebody putting their own "pause.exe" in every windows user's computer... now they have thousands of passwords and it takes ms another week to release a patch for that...

    not that microsoft would do that (because they know this is already a vulnerability that would look really bad if exploited in one of their programs), but I think you get the point.

    I get your point that on a small scale, with more educated users, there isn't much of a problem, but if you want to get anywhere with programming, one of the biggest buzzwords around is security, and that is one big breach that can be easily exploited.

    besides the whole security breach thing, it's also considered bad practice because you're getting another program to do the dirty work for you...
    Join is in our Unofficial Cprog IRC channel
    Server: irc.phoenixradio.org
    Channel: #Tech


    Team Cprog Folding@Home: Team #43476
    Download it Here
    Detailed Stats Here
    More Detailed Stats
    52 Members so far, are YOU a member?
    Current team score: 1223226 (ranked 374 of 45152)

    The CBoard team is doing better than 99.16% of the other teams
    Top 5 Members: Xterria(518175), pianorain(118517), Bennet(64957), JaWiB(55610), alphaoide(44374)

    Last Updated on: Wed, 30 Aug, 2006 @ 2:30 PM EDT

  9. #9
    Yes, my avatar is stolen anonytmouse's Avatar
    Join Date
    Dec 2002
    Posts
    2,544
    Still, perhaps autoexec.bat isn't protected as a system file. Then you could add a PATH line, so you wouldn't need access to any system folder, and ANY program without an explicit path in their system() call would execute it.
    If someone can alter your autoexec.bat, thay can just add their program at startup. No need to mess with the PATH variable.
    you can bet that if microsoft used system("pause"); in any of their programs, there would somebody putting their own "pause.exe" in every windows user's computer...
    As mentioned, if someone can replace pause, they own your computer.
    I get your point that on a small scale, with more educated users, there isn't much of a problem, but if you want to get anywhere with programming, one of the biggest buzzwords around is security, and that is one big breach that can be easily exploited.
    If it is so easy, could you tell me how it could be exploited?


    [edit]
    There is a possibility of a serious vulnerability if system() is used improperly with data provided from an untrusted user, similar to a SQL injection vulnerability. Maybe this is where the "don't use system()" advice originated.

    Other methods of launching a program may not use a command interpretor and therefore may be slighly safer when launching a command with user supplied data.

    I'm not [edit]totally [/edit] backing down, I still see no meaningful security vulnerability when running a program with system() and no user supplied data, such as system("C:\\windows\\system32\\notepad.exe"). However, I can see why it is probably a good idea to advise people to avoid system(), at least to those who do not know how to use it safely. Just like it is a good idea to advise people to avoid goto until they can use it responsibly.
    [/note]

    Guidelines for using system() safely
    • Be very careful or avoid passing data from an untrusted user to the system() function.
    • Use an absolute path.


    On windows, pause is implemented by the command interpreter, so that pause("pause") is inherently safe, but pause("pause.com") may not be (fails the absolute path requirement).

    Damn and blast! I think I've just largely destructed my own argument.
    [/edit]

    P.S. Maybe this thread should be added to the FAQ forum.
    Last edited by anonytmouse; 11-11-2004 at 10:43 AM.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Getting an error with OpenGL: collect2: ld returned 1 exit status
    By Lorgon Jortle in forum C++ Programming
    Replies: 6
    Last Post: 05-08-2009, 08:18 PM
  2. Undefined Reference Compiling Error
    By AlakaAlaki in forum C++ Programming
    Replies: 1
    Last Post: 06-27-2008, 11:45 AM
  3. We Got _DEBUG Errors
    By Tonto in forum Windows Programming
    Replies: 5
    Last Post: 12-22-2006, 05:45 PM
  4. Interface Question
    By smog890 in forum C Programming
    Replies: 11
    Last Post: 06-03-2002, 05:06 PM
  5. qt help
    By Unregistered in forum Linux Programming
    Replies: 1
    Last Post: 04-20-2002, 09:51 AM