In a Solaris telnet vulnerability thread, Casper Dik said: >It's not "still" in Solaris; it's the first time it occurred in >Solaris; it is stupid it did but it's a typical programming error: >passing unchecked arguments to a program without escaping special >characters. The emerging terminology for this kind of issue is "argument injection" (CWE-88), although like many vulnerability-related concepts, the term is attack-focused. Then again, "failure to properly construct a command or directive such that all arguments/switches are under full control of the calling program" just doesn't have the same ring to it, nor does it account for the fact that a large variety of weaknesses that lead to the same behavior. One one level, this kind of issue applies to many kinds of behaviors, not just invocation of OS commands. For example, using onload/onmouseover attributes for XSS could be thought of as a type of argument injection, and certain variants of SQL injection. You can get into a lot of subtle variations on this one theme, even in OS command invocation - switches like "--" bypassing blacklists that just look for "-", use of "/a" style switches when invoking Windows programs, conducting arg injection through URI handlers, etc. Theoretically, argument injection doesn't just involve "special characters," but any set of reserved words or constructs that are used as separators between arguments or data elements. When you are doing some kind of invocation across representation boundaries, you have to have a correct model for how the arguments will be interpreted - likely impossible if you're invoking arbitrary programs that will have their own parsing routines. Command line switches are just the low hanging fruit. Some interesting/relevant examples: CVE-1999-0113 (the canonical AIX -froot example), CVE-2007-0882 (Solaris -froot), CVE-2006-4692, CVE-2006-6597, CVE-2006-3015, CVE-2006-2312, CVE-2006-2058, CVE-2006-2057/CVE-2006-2056 (the same bug in Firefox and IE), CVE-2006-1865, CVE-2005-4699, and probably a few dozen others that aren't explicitly labeled as such. - Steve
