Injection attacks on Runtime.exec

Hey all,

I am trying to prove that an injection attack is not possible on the following code, where "filePath" and "args" are supplied from an unknown source.

Process p = Runtime.getRuntime().exec("java -Djava.security.manager " + filePath + " " + args, null, new File("C:\\Program Files\\eclipse\\workspace\\bin"));

I have verified that filePath does indeed point to a Java class file that is a child of the bin directory. NB -Djava.security.manager is the default java security manager which will invoke the program with similar privileges to that of an applet (so the invoked program is fully sandboxed).

Thanks,

Will

[657 byte] By [WillRyana] at [2007-11-26 18:22:13]

«« JTable selection problem when insert a row
»» jdbc connection blocks when run from jar

# 1

[Deleted as inapplicable - I should read more carefully]

dcmintera at 2007-7-9 5:56:07 >

top of Java-index,Java Essentials,Java Programming...

# 2

Not sure if this will work, but what if someone supplies a Unix pipe (or any number of operations) as 'args'?- Saish

Saisha at 2007-7-9 5:56:07 >

# 3

I doubt that will work (for the bad guy) because it's the operating system shell that takes care of piping and redirecting, and Runtime.exec() doesn't execute the shell. But I would say that should definitely be tested.

DrClapa at 2007-7-9 5:56:07 >

# 4

For example, if I do the following:touch erase_meecho `rm -f .`the file is actually erased. Have you tried something like this when you pass in a value for 'args'?- Saish

Saisha at 2007-7-9 5:56:07 >

# 5

Sorry, I am stupid, you had Windows paths, didn't you? Might still be possible in Windows. DOS is not that smart. :^)- Saish

Saisha at 2007-7-9 5:56:07 >

Java programming resources: FAQs, tutorials, compiler and browser download sites, documentation, books lists, IDEs, etc.

Injection attacks on Runtime.exec

Java Essentials New Topic

Java Essentials Hot Topic

Java Essentials

All Classified