Skip to content

C/C++: Command injection via wordexp #700

Closed
Closed
C/C++: Command injection via wordexp#700
Labels
All For OneSubmissions to the All for One, One for All bounty
@intrigus-lgtm

Description

@intrigus-lgtm
intrigus-lgtm
opened on Aug 18, 2022

Query PR

github/codeql#10077

Language

C/C++

CVE(s) ID list

CVE-2022-3008

CWE

CWE-078

Report

  1. What is the vulnerability?
    Passing user-supplied arguments to wordexp will cause command substitution which will cause command injection, leading to code execution.
  2. How does the vulnerability work?
    Unsanitised data is passed to a system/shell-like function.
  3. What strategy do you use in your query to find the vulnerability?
    TaintTracking + RemoteFlowSource.
  4. How have you reduced the number of false positives?
    A call to wordexp is safe, if the WRDE_NOCMD flag is used. This flag disables command substitution.
    This case has been modeled in the query.
    I am currently not aware of other false positives, but will be running this query on lgtm.com and adjust the query accordingly to the results I see.
  5. Other information?
    This query was inspired by https://github.com/syoyo/tinygltf/issues/368 which has been found by oss-fuzz using ExecSan.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

  • Yes
  • No

Blog post link

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    All For OneSubmissions to the All for One, One for All bounty

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions