One Article Review
| Source |  Code White |
|---|---|
| Identifiant | 351855 |
| Date de publication | 2016-02-04 17:03:53 (vue: 2016-02-04 17:03:53) |
| Titre | Java and Command Line Injections in Windows |
| Texte | Everyone knows that incorporating user provided fragments into a command line is dangerous and may lead to command injection. That's why in Java many suggest using ProcessBuilder instead where the program's arguments are supposed to be passed discretely in separate strings. However, in Windows, processes are created with a single command line string. And since there are different and seemingly confusing parsing rules for different runtime environments, proper quoting seems to be likewise complicated. This makes Java for Windows still vulnerable to injection of additional arguments and even commands into the command line. Windows' CreateProcess Command Lines In Windows, the main function for creating processes is the CreateProcess function. And in contrast to C API functions like execve, arguments are not passed separately as an array of strings but in a single command line. On the other side, the entry point function WinMain expects a single command line argument as well. This circumstance requires the program to parse the command line itself for extracting the arguments. And although Windows provides a CommandLineToArgvW function and supports C and C++ API entry point functions where arguments are already parsed by the runtime and passed in a argc/argv style, the rules for quoting command line arguments with all their quirks can be quite confusing. And there is no definitive guide on how to quote properly, let alone something like a ArgvToCommandLineW function that does it for you. That's why many do it wrong, as “Everyone quotes command line arguments the wrong way†by Daniel Colascione observes. You should definitely read the latter two linked pages first to understand the rest of this blog post. For testing, we'll use the following Java class, which utilizes ProcessBuilder as suggested: The resulting CreateProcess command line can be observed with the Windows Sysinternals' Process Monitor. And for how the command line gets parsed, you can use the following program, which prints the results of both the parsing of C command-line arguments (via the argv function parameter) and of the parsing of C++ command-line arguments (via CommandLineToArgvW function). This already produces different and frankly surprising results in some cases: The last two are remarkable as one additional quotation mark swaps the results of argv and CommandLineToArgvW. Java's Command Line Generation in Windows With the knowledge of how CreateProcess expects the command line arguments to be quoted, let's see how Java builds the command line and quotes the arguments for Windows. If a process is started using ProcessBuilder, the arguments are passed to the static method start of ProcessImpl, which is a platform-dependent class. In the Windows implemen |
| Envoyé | Oui |
| Condensat | 6th able above add adding additional additionally after again all allow allowambiguouscommands allows alone already also although any api applied are arg argc/argv argument arguments arguments: argv argvtocommandlinew around array avoid back backslash based bat bat: batch becomes being block blog both builds but c++ call called calls can cases: catch caused certain changes character characters check checked checks circumstance circumvented class cmd colascione come command commandlinetoargvw commands complicated conclusion conclusion: confusing considered consistent constructor containing contains contrast createcommandline created createprocess creates creating dangerous daniel decision default definitely definitive denotes dependent different discretely does double doubled due easier: edition end ends endswith entry environment environment: environments escape even everyone exactly examples exception exe exec execute executed executes execve expects explicit explicitly exploited extension extract extracting fact fails false far file files first following follows: fragments frankly function functions further generation getexecutablepath gets gettokensfromcommand goes good guide has how however ignored image implementation implicit implicitly incorporating inject injection injections instead interesting internals interpreted isquoted isshellfile issues itself java jdk just knowledge knows lang last later latter lead legacy legacy: less let like likewise line line: lines linked list little look main make makes many mark marks may means mentioned method mode mode: modes: monitor most name need needed needs needsescaping noquotesinside not not: now observed observes one only operational other pages parameter parse parsed parsing part passed path performed platform point possible possible: post present prints private process processbuilder processes processimpl processing produces program promotion prompt proper properly property provided provides providing quirks quite quotation quote quoted quoted: quoted†quotes quotes: quoting rather read recall regardless remarkable remember require required requires rest restarts result resulting results return returns rules run runtime sample securitymanager see seemingly seems separate separately set shell should side silent simple simply since single some something space stage start started starts static strict strictly string strings strings: style suffices suggest suggested: supports supposed surprising swaps switching sysinternals system32 tabulator take test testing that then therefore these things through throws trailing tree tricks tries true two type understand use user using utilizes value value: values: verification vertification vulnerable way†well where whether which whitespace why will win32 win32: windows winmain within without work works would wrapped wraps wrong … “already “everyone |
| Tags | Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.