Transferring program control to an untrusted application program or in an untrusted environment can cause an application to execute malicious commands on behalf of an attacker.
Process control vulnerabilities take two forms:
- An attacker can change the name of the program being invoked: the attacker explicitly controls what the name of the application program is.
- An attacker can change the environment in which the program is invoked: the attacker implicitly controls a communication area made available to the invoked program.
In this case we are primarily concerned with the first scenario, the possibility that an attacker may be able to control the name of the program that is invoked. Process control vulnerabilities of this type occur when:
1. Data enters the application from an untrusted source.
2. The data is used as or as part of a string representing a program that is invoked.
3. By executing code from the invoked program, the application gives the attacker a privilege or capability that the attacker would not otherwise have.
Example: The following code from a privileged system utility reads a value from the terminal to determine the name of the program to transfer control to.
...
ACCEPT PROGNAME.
EXEC CICS
LINK PROGRAM(PROGNAME)
COMMAREA(COMA)
LENGTH(LENA)
DATALENGTH(LENI)
SYSID('CONX')
END-EXEC.
...
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A1 Unvalidated Input
[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A4 Insecure Direct Object Reference
[3] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A4 Insecure Direct Object References
[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3510 CAT I, APP3570 CAT I
[5] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 114
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.1, Requirement 6.5.4
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.1
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8
[9] Standards Mapping - FIPS200 - (FISMA) SI