Input validation and representation problems ares caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input. The issues include: "Buffer Overflows," "Cross-Site Scripting" attacks, "SQL Injection," and many others.
send
function and its variants allow programmers to work around Ruby access specifiers on functions. In particular it enables the programmer to access private and protected fields and functions, behaviors that are normally disallowed.paramName
URL parameter.
...
<bookmark>
<method>#{paramHandler.handleParams}</method>
<url-parameter>
<name>paramName</name>
<value>#{requestScope.paramName}</value>
</url-parameter>
</bookmark>
...
userClassPath
to determine the directory in which to search for classes to load.
...
productCategory = this.getIntent().getExtras().getString("userClassPath");
DexClassLoader dexClassLoader = new DexClassLoader(productCategory, optimizedDexOutputPath.getAbsolutePath(), null, getClassLoader());
...
userClassPath
to point to a different path, which they control. Because the program does not validate the value read from the environment, if an attacker can control the value of userClassPath
, then they can fool the application into pointing to a directory that they control and therefore load the classes that they have defined, using the same privileges as the original app.userOutput
to determine the directory the optimized DEX files should be written.
...
productCategory = this.getIntent().getExtras().getString("userOutput");
DexClassLoader dexClassLoader = new DexClassLoader(sanitizedPath, productCategory, null, getClassLoader());
...
userOutput
to a directory that they control, such as external storage. Once this is achieved, it is simply a matter of replacing the outputted ODEX file with a malicious ODEX file to have this executed with the same privileges as the original application.ModelState.IsValid
to check if model validation passes.class.classLoader
that enable them to override system properties and potentially execute arbitrary code.
String prop = request.getParameter('prop');
String value = request.getParameter('value');
HashMap properties = new HashMap();
properties.put(prop, value);
BeanUtils.populate(user, properties);
strncpy()
, can cause vulnerabilities when used incorrectly. The combination of memory manipulation and mistaken assumptions about the size or makeup of a piece of data is the root cause of most buffer overflows.gets()
function to read an arbitrary amount of data into a stack buffer. Because there is no way to limit the amount of data read by this function, the safety of the code depends on the user to always enter fewer than BUFSIZE
characters.Example 1.b: This example shows how easy it is to mimic the unsafe behavior of the
...
char buf[BUFSIZE];
gets(buf);
...
gets()
function in C++ by using the >>
operator to read input into a char[]
string.Example 2: The code in this example also relies on user input to control its behavior, but it adds a level of indirection with the use of the bounded memory copy function
...
char buf[BUFSIZE];
cin >> (buf);
...
memcpy()
. This function accepts a destination buffer, a source buffer, and the number of bytes to copy. The input buffer is filled by a bounded call to read()
, but the user specifies the number of bytes that memcpy()
copies.
...
char buf[64], in[MAX_SIZE];
printf("Enter buffer contents:\n");
read(0, in, MAX_SIZE-1);
printf("Bytes to copy:\n");
scanf("%d", &bytes);
memcpy(buf, in, bytes);
...
lccopy()
takes a string as its argument and returns a heap-allocated copy of the string with all uppercase letters converted to lowercase. The function performs no bounds checking on its input because it expects str
to always be smaller than BUFSIZE
. If an attacker bypasses checks in the code that calls lccopy()
, or if a change in that code makes the assumption about the size of str
untrue, then lccopy()
will overflow buf
with the unbounded call to strcpy()
.Example 4: The following code demonstrates the third scenario in which the code is so complex its behavior cannot be easily predicted. This code is from the popular libPNG image decoder, which is used by a wide array of applications.
char *lccopy(const char *str) {
char buf[BUFSIZE];
char *p;
strcpy(buf, str);
for (p = buf; *p; p++) {
if (isupper(*p)) {
*p = tolower(*p);
}
}
return strdup(buf);
}
png_crc_read()
. However, immediately before it tests length, the code performs a check on png_ptr->mode
, and if this check fails a warning is issued and processing continues. Since length
is tested in an else if
block, length
would not be tested if the first check fails, and is used blindly in the call to png_crc_read()
, potentially allowing a stack buffer overflow.Example 5: This example also demonstrates the third scenario in which the program's complexity exposes it to buffer overflows. In this case, the exposure is due to the ambiguous interface of one of the functions rather than the structure of the code (as was the case in the previous example).
if (!(png_ptr->mode & PNG_HAVE_PLTE)) {
/* Should be an error, but we can cope with it */
png_warning(png_ptr, "Missing PLTE before tRNS");
}
else if (length > (png_uint_32)png_ptr->num_palette) {
png_warning(png_ptr, "Incorrect tRNS chunk length");
png_crc_finish(png_ptr, length);
return;
}
...
png_crc_read(png_ptr, readbuf, (png_size_t)length);
getUserInfo()
function takes a username specified as a multibyte string and a pointer to a structure for user information, and populates the structure with information about the user. Since Windows authentication uses Unicode for usernames, the username
argument is first converted from a multibyte string to a Unicode string. This function then incorrectly passes the size of unicodeUser
in bytes rather than characters. The call to MultiByteToWideChar()
may therefore write up to (UNLEN+1)*sizeof(WCHAR)
wide characters, or(UNLEN+1)*sizeof(WCHAR)*sizeof(WCHAR)
bytes, to the unicodeUser
array, which has only (UNLEN+1)*sizeof(WCHAR)
bytes allocated. If the username
string contains more than UNLEN
characters, the call to MultiByteToWideChar()
will overflow the buffer unicodeUser
.
void getUserInfo(char *username, struct _USER_INFO_2 info){
WCHAR unicodeUser[UNLEN+1];
MultiByteToWideChar(CP_ACP, 0, username, -1,
unicodeUser, sizeof(unicodeUser));
NetUserGetInfo(NULL, unicodeUser, 2, (LPBYTE *)&info);
}
strncpy()
, can cause vulnerabilities when used incorrectly. The combination of memory manipulation and mistaken assumptions about the size or makeup of a piece of data is the root cause of most buffer overflows.c
because the double
type requires more space than is allocated for c
.
void formatString(double d) {
char c;
scanf("%d", &c)
}
strncpy()
, can cause vulnerabilities when used incorrectly. The combination of memory manipulation and mistaken assumptions about the size or makeup of a piece of data is the root cause of most buffer overflows.buf
because, depending on the size of f
, the format string specifier "%d %.1f ... "
can exceed the amount of allocated memory.
void formatString(int x, float f) {
char buf[40];
sprintf(buf, "%d %.1f ... ", x, f);
}
strncpy()
, can cause vulnerabilities when used incorrectly. The combination of memory manipulation and mistaken assumptions about the size or makeup of a piece of data is the root cause of most buffer overflows.recv
returns the maximum allowed sizeof(buf)
bytes read. In this case, the subsequent dereference of buf[nbytes]
will write the null
byte outside the bounds of allocated memory.
void receive(int socket) {
char buf[MAX];
int nbytes = recv(socket, buf, sizeof(buf), 0);
buf[nbytes] = '\0';
...
}
strncpy()
, can cause vulnerabilities when used incorrectly. The combination of memory manipulation and mistaken assumptions about the size or makeup of a piece of data is the root cause of most buffer overflows.getInputLength()
is less than the size of the destination buffer output
. However, because the comparison between len
and MAX
is signed, if len
is negative, it will be become a very large positive number when it is converted to an unsigned argument to memcpy()
.
void TypeConvert() {
char input[MAX];
char output[MAX];
fillBuffer(input);
int len = getInputLength();
if (len <= MAX) {
memcpy(output, input, len);
}
...
}
ParametersInterceptor
, allowing access to the getClass()
method through the class
parameter. This can enable an attacker to manipulate the ClassLoader
and execute arbitrary Java code using crafted action parameters.
function MyController(function($stateParams, $interpolate){
var ctx = { foo : 'bar' };
var interpolated = $interpolate($stateParams.expression);
this.rendered = interpolated(ctx);
...
}
$stateParams.expression
will be taking potentially user-controlled data, and evaluating this as a template to be used with a specified context. This in turn may enable a malicious user to run any code they wish within the browser, retrieving information about the context it's run against, finding additional information about how the application is created, or turning this into a full blown XSS attack.template
attribute of a <cfinclude>
tag. ../../users/wileyh/malicious
", which will cause the application to include and execute the contents of a file in the attacker's home directory.
<cfinclude template =
"C:\\custom\\templates\\#Form.username#.cfm">
<cfinclude>
tag, they may be able to cause the application to include the contents of nearly any file in the server's file system in the current page. This ability can be leveraged in at least two significant ways. If an attacker can write to a location on the server's file system, such as the user's home directory or a common upload directory, then they may be able to cause the application to include a maliciously crafted file in the page, which will be executed by the server. Even without write access to the server's file system, an attacker may often gain access to sensitive or private information by specifying the path of a file on the server.APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
...
CALL FUNCTION 'REGISTRY_GET'
EXPORTING
KEY = 'APPHOME'
IMPORTING
VALUE = home.
CONCATENATE home INITCMD INTO cmd.
CALL 'SYSTEM' ID 'COMMAND' FIELD cmd ID 'TAB' FIELD TABL[].
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the registry entry APPHOME
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the registry, if an attacker can control the value of the registry key APPHOME
, then they can fool the application into running malicious code and take control of the system.rman
utility and then run a cleanup.bat
script to delete some temporary files. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
...
btype = request->get_form_field( 'backuptype' )
CONCATENATE `/K 'c:\\util\\rmanDB.bat ` btype `&&c:\\util\\cleanup.bat'` INTO cmd.
CALL FUNCTION 'SXPG_COMMAND_EXECUTE_LONG'
EXPORTING
commandname = cmd_exe
long_params = cmd_string
EXCEPTIONS
no_permission = 1
command_not_found = 2
parameters_too_long = 3
security_risk = 4
OTHERS = 5.
...
backuptype
parameter read from the user. Typically the function module SXPG_COMMAND_EXECUTE_LONG
will not execute multiple commands, but in this case the program first runs the cmd.exe
shell in order to run multiple commands with a single call to CALL 'SYSTEM'
. After the shell is invoked, it will allow for the execution of multiple commands separated by two ampersands. If an attacker passes a string of the form "&& del c:\\dbms\\*.*"
, then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.make
command in the /var/yp
directory.
...
MOVE 'make' to cmd.
CALL 'SYSTEM' ID 'COMMAND' FIELD cmd ID 'TAB' FIELD TABL[].
...
CALL 'SYSTEM'
. If an attacker can modify the $PATH
variable to point to a malicious binary called make
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make
will now be run with these privileges, possibly giving the attacker complete control of the system.
...
var fs:FileStream = new FileStream();
fs.open(new File(String(configStream.readObject())+".txt"), FileMode.READ);
home = String(fs.readObject(home));
var cmd:String = home + INITCMD;
fscommand("exec", cmd);
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the contents of the configuration file configStream
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the file, if an attacker can control that value, then they can fool the application into running malicious code and take control of the system.rman
utility and then run a cleanup.bat
script to delete some temporary files. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
...
var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
var btype:String = String(params["backuptype"]);
var cmd:String = "cmd.exe /K \"c:\\util\\rmanDB.bat " + btype + "&&c:\\util\\cleanup.bat\"";
fscommand("exec", cmd);
...
backuptype
parameter read from the user. Typically the fscommand()
function will not execute multiple commands, but in this case the program first runs the cmd.exe
shell in order to run multiple commands with a single call to fscommnd()
. After the shell is invoked, it will allow for the execution of multiple commands separated by two ampersands. If an attacker passes a string of the form "&& del c:\\dbms\\*.*"
, then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.make
command in the /var/yp
directory.
...
fscommand("exec", "make");
...
fscommand()
. If an attacker can modify the $PATH
variable to point to a malicious binary called make
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make
will now be run with these privileges, possibly giving the attacker complete control of the system.APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
...
string val = Environment.GetEnvironmentVariable("APPHOME");
string cmd = val + INITCMD;
ProcessStartInfo startInfo = new ProcessStartInfo(cmd);
Process.Start(startInfo);
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.rman
utility and then run a cleanup.bat
script to delete some temporary files. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
...
string btype = BackupTypeField.Text;
string cmd = "cmd.exe /K \"c:\\util\\rmanDB.bat"
+ btype + "&&c:\\util\\cleanup.bat\""));
Process.Start(cmd);
...
BackupTypeField
. Typically the Process.Start()
function will not execute multiple commands, but in this case the program first runs the cmd.exe
shell in order to run multiple commands with a single call to Process.Start()
. After the shell is invoked, it will allow for the execution of multiple commands separated by two ampersands. If an attacker passes a string of the form "&& del c:\\dbms\\*.*"
, then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.update.exe
command, as follows:
...
Process.Start("update.exe");
...
Process.start()
. If an attacker can modify the $PATH
variable to point to a malicious binary called update.exe
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's update.exe
will now be run with these privileges, possibly giving the attacker complete control of the system.setuid root
because it is intended for use as a learning tool to allow system administrators in-training to inspect privileged system files without giving them the ability to modify them or damage the system.
int main(char* argc, char** argv) {
char cmd[CMD_MAX] = "/usr/bin/cat ";
strcat(cmd, argv[1]);
system(cmd);
}
root
privileges, the call to system()
also executes with root
privileges. If a user specifies a standard filename, the call works as expected. However, if an attacker passes a string of the form ";rm -rf /"
, then the call to system()
fails to execute cat
due to a lack of arguments and then plows on to recursively delete the contents of the root partition.$APPHOME
to determine the application's installation directory and then executes an initialization script in that directory.
...
char* home=getenv("APPHOME");
char* cmd=(char*)malloc(strlen(home)+strlen(INITCMD));
if (cmd) {
strcpy(cmd,home);
strcat(cmd,INITCMD);
execl(cmd, NULL);
}
...
Example 1
, the code in this example allows an attacker to execute arbitrary commands with the elevated privilege of the application. In this example, the attacker may modify the environment variable $APPHOME
to specify a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the environment, by controlling the environment variable the attacker may fool the application into running malicious code.make
in the /var/yp
directory. Note that since the program updates password records, it has been installed setuid root
.make
as follows:
system("cd /var/yp && make &> /dev/null");
system()
. However, since the program does not specify an absolute path for make
and does not scrub any environment variables prior to invoking the command, the attacker may modify their $PATH
variable to point to a malicious binary named make
and execute the CGI script from a shell prompt. And since the program has been installed setuid root
, the attacker's version of make
now runs with root
privileges.CreateProcess()
either directly or via a call to one of the functions in the _spawn()
family, care must be taken when there is a space in an executable or path.
...
LPTSTR cmdLine = _tcsdup(TEXT("C:\\Program Files\\MyApplication -L -S"));
CreateProcess(NULL, cmdLine, ...);
...
CreateProcess()
parses spaces, the first executable the operating system will try to execute is Program.exe
, not MyApplication.exe
. Therefore, if an attacker is able to install a malicious application called Program.exe
on the system, any program that incorrectly calls CreateProcess()
using the Program Files
directory will run this application instead of the intended one.system()
, exec()
, and CreateProcess()
use the environment of the program that calls them, and therefore attackers have a potential opportunity to influence the behavior of these calls.$PATH
or other aspects of the program's execution environment.make
in the /var/yp
directory. Note that because the program updates password records, it has been installed setuid root
.make
as follows:
MOVE "cd /var/yp && make &> /dev/null" to command-line
CALL "CBL_EXEC_RUN_UNIT" USING command-line
length of command-line
run-unit-id
stack-size
flags
CBL_EXEC_RUN_UNIT
. However, because the program does not specify an absolute path for make
and does not scrub its environment variables prior to invoking the command, the attacker can modify their $PATH
variable to point to a malicious binary named make
and execute the CGI script from a shell prompt. In addition, because the program has been installed setuid root
, the attacker's version of make
now runs with root
privileges.pdfprint
command.
DISPLAY "TEMP" UPON ENVIRONMENT-NAME
ACCEPT ws-temp-dir FROM ENVIRONMENT-VARIABLE
STRING "pdfprint " DELIMITED SIZE
ws-temp-dir DELIMITED SPACE
"/" DELIMITED SIZE
ws-pdf-filename DELIMITED SPACE
x"00" DELIMITED SIZE
INTO cmd-buffer
CALL "SYSTEM" USING cmd-buffer
pdfprint
, the attacker can modify their $PATH
variable to point to a malicious binary. Furthermore, while the DELIMITED SPACE
phrases prevent embedded spaces in ws-temp-dir
and ws-pdf-filename
, there could be shell metacharacters (such as &&
) embedded in either.cmd
request parameter.
...
<cfset var="#url.cmd#">
<cfexecute name = "C:\windows\System32\cmd.exe"
arguments = "/c #var#"
timeout = "1"
variable="mycmd">
</cfexecute>
...
APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
...
final cmd = String.fromEnvironment('APPHOME');
await Process.run(cmd);
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.
cmdName := request.FormValue("Command")
c := exec.Command(cmdName)
c.Run()
APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
...
String home = System.getProperty("APPHOME");
String cmd = home + INITCMD;
java.lang.Runtime.getRuntime().exec(cmd);
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.rman
utility and then run a cleanup.bat
script to delete some temporary files. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
...
String btype = request.getParameter("backuptype");
String cmd = new String("cmd.exe /K
\"c:\\util\\rmanDB.bat "+btype+"&&c:\\util\\cleanup.bat\"")
System.Runtime.getRuntime().exec(cmd);
...
backuptype
parameter read from the user. Typically the Runtime.exec()
function will not execute multiple commands, but in this case the program first runs the cmd.exe
shell in order to run multiple commands with a single call to Runtime.exec()
. After the shell is invoked, it will allow for the execution of multiple commands separated by two ampersands. If an attacker passes a string of the form "&& del c:\\dbms\\*.*"
, then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.make
command in the /var/yp
directory.
...
System.Runtime.getRuntime().exec("make");
...
Runtime.exec()
. If an attacker can modify the $PATH
variable to point to a malicious binary called make
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make
will now be run with these privileges, possibly giving the attacker complete control of the system.
...
String[] cmds = this.getIntent().getStringArrayExtra("commands");
Process p = Runtime.getRuntime().exec("su");
DataOutputStream os = new DataOutputStream(p.getOutputStream());
for (String cmd : cmds) {
os.writeBytes(cmd+"\n");
}
os.writeBytes("exit\n");
os.flush();
...
APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
var cp = require('child_process');
...
var home = process.env('APPHOME');
var cmd = home + INITCMD;
child = cp.exec(cmd, function(error, stdout, stderr){
...
});
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME
to point to a different path containing a malicious version of INITCMD
. Since the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.rman
utility. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
var cp = require('child_process');
var http = require('http');
var url = require('url');
function listener(request, response){
var btype = url.parse(request.url, true)['query']['backuptype'];
if (btype !== undefined){
cmd = "c:\\util\\rmanDB.bat" + btype;
cp.exec(cmd, function(error, stdout, stderr){
...
});
}
...
}
...
http.createServer(listener).listen(8080);
backuptype
parameter read from the user apart from verifying its existence. After the shell is invoked, it may allow for the execution of multiple commands, and due to the nature of the application, it will run with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.make
command in the /var/yp
directory.
...
require('child_process').exec("make", function(error, stdout, stderr){
...
});
...
make
and fails to clean its environment prior to executing the call to child_process.exec()
. If an attacker can modify the $PATH
variable to point to a malicious binary called make
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make
will now be run with these privileges, possibly giving the attacker complete control of the system.APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
...
$home = $_ENV['APPHOME'];
$cmd = $home . $INITCMD;
system(cmd);
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.rman
utility and then run a cleanup.bat
script to delete some temporary files. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
...
$btype = $_GET['backuptype'];
$cmd = "cmd.exe /K \"c:\\util\\rmanDB.bat " . $btype . "&&c:\\util\\cleanup.bat\"";
system(cmd);
...
backuptype
parameter read from the user. Typically the Runtime.exec()
function will not execute multiple commands, but in this case the program first runs the cmd.exe
shell in order to run multiple commands with a single call to Runtime.exec()
. After the shell is invoked, it will allow for the execution of multiple commands separated by two ampersands. If an attacker passes a string of the form "&& del c:\\dbms\\*.*"
, then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.make
command in the /var/yp
directory.
...
$result = shell_exec("make");
...
Runtime.exec()
. If an attacker can modify the $PATH
variable to point to a malicious binary called make
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make
will now be run with these privileges, possibly giving the attacker complete control of the system.
...
CREATE PROCEDURE dbo.listFiles (@path NVARCHAR(200))
AS
DECLARE @cmd NVARCHAR(500)
SET @cmd = 'dir ' + @path
exec xp_cmdshell @cmd
GO
...
APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
...
home = os.getenv('APPHOME')
cmd = home.join(INITCMD)
os.system(cmd);
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.rman
utility and then run a cleanup.bat
script to delete some temporary files. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
...
btype = req.field('backuptype')
cmd = "cmd.exe /K \"c:\\util\\rmanDB.bat " + btype + "&&c:\\util\\cleanup.bat\""
os.system(cmd);
...
backuptype
parameter read from the user. Typically the Runtime.exec()
function will not execute multiple commands, but in this case the program first runs the cmd.exe
shell in order to run multiple commands with a single call to Runtime.exec()
. After the shell is invoked, it will allow for the execution of multiple commands separated by two ampersands. If an attacker passes a string of the form "&& del c:\\dbms\\*.*"
, then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.make
command in the /var/yp
directory.
...
result = os.system("make");
...
os.system()
. If an attacker can modify the $PATH
variable to point to a malicious binary called make
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make
will now be run with these privileges, possibly giving the attacker complete control of the system.APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
...
home = ENV['APPHOME']
cmd = home + INITCMD
Process.spawn(cmd)
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.rman
utility and then run a cleanup.bat
script to delete some temporary files. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
...
btype = req['backuptype']
cmd = "C:\\util\\rmanDB.bat #{btype} &&C:\\util\\cleanup.bat"
spawn(cmd)
...
backuptype
parameter read from the user. After the shell is invoked via Kernel.spawn
, it will allow for the execution of multiple commands separated by two ampersands. If an attacker passes a string of the form "&& del c:\\dbms\\*.*"
, then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.make
command in the /var/yp
directory.
...
system("make")
...
Kernel.system()
. If an attacker can modify the $PATH
variable to point to a malicious binary called make
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make
will now be run with these privileges, possibly giving the attacker complete control of the system.
def changePassword(username: String, password: String) = Action { request =>
...
s'echo "${password}" | passwd ${username} --stdin'.!
...
}
APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
...
Dim cmd
Dim home
home = Environ$("AppHome")
cmd = home & initCmd
Shell cmd, vbNormalFocus
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.rman
utility and then run a cleanup.bat
script to delete some temporary files. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
...
btype = Request.Form("backuptype")
cmd = "cmd.exe /K " & Chr(34) & "c:\util\rmanDB.bat " & btype & "&&c:\util\cleanup.bat" & Chr(34) & ";
Shell cmd, vbNormalFocus
...
backuptype
parameter read from the user. After the shell is invoked, it will allow for the execution of multiple commands separated by two ampersands. If an attacker passes a string of the form "&& del c:\\dbms\\*.*"
, then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.make
command in the /var/yp
directory.
...
$result = shell_exec("make");
...
Runtime.exec()
. If an attacker can modify the $PATH
variable to point to a malicious binary called make
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make
will now be run with these privileges, possibly giving the attacker complete control of the system.
...
steps:
- run: echo "${{ github.event.pull_request.title }}"
...
github.event.pull_request.title
value represents. If the github.event.pull_request.title
contains malicious executable code, the action runs the malicious code, which results in command injection.<!--#echo%20var="GATEWAY_INTERFACE"-->
...
string password = Request.Form["db_pass"]; //gets POST parameter 'db_pass'
SqlConnection DBconn = new SqlConnection("Data Source = myDataSource; Initial Catalog = db; User ID = myUsername; Password = " + password + ";");
...
db_pass
parameter such as:
...
password := request.FormValue("db_pass")
db, err := sql.Open("mysql", "user:" + password + "@/dbname")
...
db_pass
parameter such as:
username = req.field('username')
password = req.field('password')
...
client = MongoClient('mongodb://%s:%s@aMongoDBInstance.com/?ssl=true' % (username, password))
...
password
parameter such as:
hostname = req.params['host'] #gets POST parameter 'host'
...
conn = PG::Connection.new("connect_timeout=20 dbname=app_development user=#{user} password=#{password} host=#{hostname}")
...
host
parameter such as:content://my.authority/messages
content://my.authority/messages/123
content://my.authority/messages/deleted
content://my.authority/messages/deleted
by providing a msgId code with value deleted
:
// "msgId" is submitted by users
Uri dataUri = Uri.parse(WeatherContentProvider.CONTENT_URI + "/" + msgId);
Cursor wCursor1 = getContentResolver().query(dataUri, null, null, null, null);
...
var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
var url:String = String(params["url"]);
var ldr:Loader = new Loader();
var urlReq:URLRequest = new URLRequest(url);
ldr.load(urlReq);
...
message
, and displays it to the user.
const openai = new OpenAI({
apiKey: ...,
});
const chatCompletion = await openai.chat.completions.create(...);
message = res.choices[0].message.content
console.log(chatCompletion.choices[0].message.content)
message
, and displays it to the user.
client = openai.OpenAI()
res = client.chat.completions.create(...)
message = res.choices[0].message.content
self.writeln(f"<p>{message}<\p>")