A post in this (Are system() calls evil?) thread says:
Your program's privileges are inherited by its spawned programs. If your application ever runs as a privileged user, all someone has to do is put their own program with the name of the thing you shell out too, and then can execute arbitrary code (this implies you should never run a program that uses system as root or setuid root).
But system("PAUSE")
and system("CLS")
shell to the OS, so how could a hacker possibly intervene if it ONLY shells to a specific secure location on the hard-drive?
Does explicitly flush—by using fflush or _flushall—or closing any stream before calling system eliminate all risk?
The original question references POSIX not windows. Here there is no COMSPEC
(there is SHELL
but system()
deliberately does not use it); however /bin/sh
is completely, utterly vulnerable.
Suppose /opt/vuln/program does system("/bin/ls");
Looks completely harmless, right? Nope!
$ PATH=. IFS='/ ' /opt/vuln/program
This runs the program called bin
in the current directory. Oops. Defending against this kind of thing is so difficult it should be left to the extreme experts, like the guys who wrote sudo
. Sanitizing environment is extremely hard.
So you might be thinking what is that system()
api for. I don't actually know why it was created, but if you wanted to do a feature like ftp
has where !command is executed locally in the shell you could do ... else if (terminalline[0] == '!') system(terminalline+1); else ...
Since it's going to be completely insecure anyway there's no point in making it secure. Of course a truly modern use case wouldn't do it that way because system()
doesn't look at $SHELL
but oh well.
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments