Command Injection in .NET: 82% Proven that is 98% Impossible

By Dan Cornell

So I decided to also slap together a .NET version of the Java command injection testing thing I posted yesterday in response to Alex Smolen's blog post on .NET and Java command injection.  It is up online here:

http://www.dancornell.com/files/DotNetCommandInjection.zip

.NET looks to be similarly resistant to command injection.

Also, "Jordan" posted a comment to the previous post:

One quick way to verify Java isn't vulnerable is to see which native functions it's using. On Linux, use strace -f java [...]/Main on your test app and look for exec or system. Yup, we see execve -- safe calls.

I suppose you could do it that way.  If you wanted the easy way to find out what was actually going on.  But then you wouldn't get to write any crudimentary Java code - and what fun would that be?  That's actually a great idea.

Does that mean that you don't need to validate input that is being sent to command interpreters on Java and .NET?  No.  Failing to do this can still give attackers control over command line arguments and filenames.  Plus there may be other ways to break out of this that my 60 lines of Java or C# test code and 15 test cases didn't find.  (What a surprise that would be!)  Sleep a little better at night.  But not too well.

--Dan
dan _at_ denimgroup.com