3

I was reviewing code of an application that uses the following piece of Java code and wanted to know if the the use of exec() was susceptible to command injection. 

public class FindFileInDir { public static void main(String[] args){ try { Runtime rt = Runtime.getRuntime(); String[] cmdArr = { "bash", "checkfileindirectory.sh", "<directory_to_search>", "<file_to_find>" }; Process p = rt.exec(cmdArr); } catch (Exception e) { e.printStackTrace(System.out); } } }

To provide some context, the shell script is just a wrapper for the find command that searches for a file in a directory. It takes two arguments directory_to_search and file_to_find. The directory_to_search argument to the script is fixed but the user contains the file_to_find argument. Is there are payload that can be used to chain multiple bash commands in this scenario?

Improve this question

    1 Answer 1

    Reset to default
    3

    I ran your program, linked to a checkfileindirectory.sh that looks like this:

    #!/bin/bash echo $1 > param1.txt echo $2 > param2.txt

    As a test, I changed "<file_to_find>" to "<file_to_find>;touch MikeWasHere.txt"

    String[] cmdArr = { "bash", "checkfileindirectory.sh", "<directory_to_search>", "<file_to_find>;touch MikeWasHere.txt" };

    And I get this output:

    ➜ /tmp javac FindFileInDir.java ➜ /tmp java FindFileInDir ➜ /tmp cat param1.txt <directory_to_search> ➜ /tmp cat param2.txt <file_to_find>;touch MikeWasHere.txt ➜ /tmp ls MikeWasHere.txt ls: cannot access 'MikeWasHere.txt': No such file or directory

    So it looks like java's rt.exec() is injection-safe.

    OWASP's page on command injection has a paragraph about java's exec (emphasis mine):

    C’s system function passes its arguments to the shell (/bin/sh) to be parsed, whereas Runtime.exec tries to split the string into an array of words, then executes the first word in the array with the rest of the words as parameters. Runtime.exec does NOT try to invoke the shell at any point. The key difference is that much of the functionality provided by the shell that could be used for mischief (chaining commands using “&”, “&&”, “|”, “||”, etc, redirecting input and output) would simply end up as a parameter being passed to the first command

    That seems consistent with our experiment that java's rt.exec() is injection-safe.

    Improve this answer

      You must log in to answer this question.

      Start asking to get answers

      Find the answer to your question by asking.

      Ask question

      Explore related questions

      See similar questions with these tags.