Argument injection issues
In a Solaris telnet vulnerability thread, Casper Dik said:
>It's not "still" in Solaris; it's the first time it occurred in
>Solaris; it is stupid it did but it's a typical programming error:
>passing unchecked arguments to a program without escaping special
>characters.
The emerging terminology for this kind of issue is "argument
injection" (CWE-88), although like many vulnerability-related
concepts, the term is attack-focused. Then again, "failure to
properly construct a command or directive such that all
arguments/switches are under full control of the calling program" just
doesn't have the same ring to it, nor does it account for the fact
that a large variety of weaknesses that lead to the same behavior.
One one level, this kind of issue applies to many kinds of behaviors,
not just invocation of OS commands. For example, using
onload/onmouseover attributes for XSS could be thought of as a type of
argument injection, and certain variants of SQL injection.
You can get into a lot of subtle variations on this one theme, even in
OS command invocation - switches like "--" bypassing blacklists that
just look for "-", use of "/a" style switches when invoking Windows
programs, conducting arg injection through URI handlers, etc.
Theoretically, argument injection doesn't just involve "special
characters," but any set of reserved words or constructs that are used
as separators between arguments or data elements. When you are doing
some kind of invocation across representation boundaries, you have to
have a correct model for how the arguments will be interpreted -
likely impossible if you're invoking arbitrary programs that will have
their own parsing routines. Command line switches are just the low
hanging fruit.
Some interesting/relevant examples: CVE-1999-0113 (the canonical AIX
-froot example), CVE-2007-0882 (Solaris -froot), CVE-2006-4692,
CVE-2006-6597, CVE-2006-3015, CVE-2006-2312, CVE-2006-2058,
CVE-2006-2057/CVE-2006-2056 (the same bug in Firefox and IE),
CVE-2006-1865, CVE-2005-4699, and probably a few dozen others that
aren't explicitly labeled as such.
- Steve