|Date:||May 9, 2006 / year-entry #160|
|Summary:||Last time, we left off with a promise to discuss ways your program can be Internet-facing without your even realizing it, and probably the most common place for this is the command line. Thanks to CIFS, files can be shared across the Internet and accessed via UNC notation. This means that anybody can set up...|
Last time, we left off with a promise to discuss ways your program can be Internet-facing without your even realizing it, and probably the most common place for this is the command line. Thanks to CIFS, files can be shared across the Internet and accessed via UNC notation. This means that anybody can set up a CIFS server and create files like
And that's where the command line attack comes from. Suppose your program is a handler for a file association. Say, your program is
Notice that the attacker controls the path. This means that if you have a bug in your command line parser, the attacker can exploit it.
Note that this extends beyond merely extra-long file names. If you registered your verb incorrectly by forgetting to put quotation marks around the file name insertion
Your parser then breaks the command line up into words and interprets this command line as having three parts:
The program then tries to load the file
Of course, the attacker also controls the contents of the file, so any vulnerabilities in your file parser can be exploited as well.
If you write a shell extension, your extension will run if the user activates it on the remote file. For example, if you have a context menu extension, it will be instantiated and initialized with the remote file as the data object. Many context menu extensions contain buffer overflow bugs in the way they mishandle the names of the files that the user right-clicked on. (Notice that I said "names"—plural. The user might multi-select files and right-click on them.) For example, a certain shareware file archival program responds to the
Just because your program doesn't contact the Internet explicitly doesn't mean it's safe from Internet-based attacks.
<-- Back to Old New Thing Archive Index