env-vars

Unsanitized Environment Variables

Environment variables are variables that are maintained outside of running programs. They take the form of 'name=value' and are used to keep track of data that changes infrequently. For example, the environment variable HOME usually holds the path to a user's home directory. Since these variables are set by the user, this creates space for a potential attack. If a program uses unchecked environment variables, an attacker can set the variable's value to something malicious, which will now be used when the program calls on the variable.

Attack Vector

  1. The attacker might have to do some research on the program's metadata to figure out what environment variables exist and in what form.

  2. Next, they can explore the program they are trying to exploit, searching for places where environment variables are used and noticing how processes use them.

  3. Lastly, the attacker can modify the environment variable so that its function will be unexpected during normal operations.

Impact

The impact of unsanitized environment variables depends on how the modified environment variable is used in the program and what the attacker sets it to. This can range from gaining higher permissions to buffer overflow attacks that break the program.

Attack Examples

Example 1

A program uses the environment variable PWD to check the current working directory at the beginning of its execution. An attacker can set the PWD variable before running the program to a very long string instead of the usual path string. Now, when the program calls for PWD and tries to read the resulting very long string into a buffer, a buffer overflow occurs and the program seg faults. Next, the attacker tries setting the PWD variable to a more useful very long string to perform a successful buffer overflow attack.

Example 2

A silly attacker wants to play a prank on her friend. When her friend is not looking, she sets the environment variable LC_ALL, a language variable, on her friend's computer to 'es_ES', spanish! Now, when her non spanish speaking friend tries to print things using the printf command, which uses the LC_ALL variable to determine the language of the output, it is in spanish!

Defenses

Some defences against unsanitized environment variable attacks include:

  • Setting protective read-write permissions on environment variables

  • Sanitizing the value of environment variables before using them in the program

  • Using secure methods to get environment variables in programs, ex. secure_getenv()

  • Only letting the program rely on the values of environment variables when absolutely necessary

Tips for Demonstration

To demonstrate an unsanitized environment variable attack, provide 1) the environment variable you changed and what you changed it to, 2) where this variable is used in the handin source code and 3) what the resulting effect is.

Other resources

https://en.wikipedia.org/wiki/Environment_variable

https://opensource.com/article/19/8/what-are-environment-variables

https://capec.mitre.org/data/definitions/13.html

https://owasp.org/www-community/attacks/Buffer_Overflow_via_Environment_Variables

https://www.hale-legacy.com/class/security/s20/handout/slides-env-vars.pdf

srowley1, wschor