Command Injection in .NET: 82% Proven that is 98% Impossible

So I decided to also slap together a .NET version of the Java command injection testing thing I posted yesterday in response to Alex Smolen’s blog post on .NET and Java command injection.  It is up online here:

http://www.dancornell.com/files/DotNetCommandInjection.zip

.NET looks to be similarly resistant to command injection.

Also, “Jordan” posted a comment to the previous post:

One quick way to verify Java isn’t vulnerable is to see which native functions it’s using. On Linux, use strace -f java […]/Main on your test app and look for exec or system. Yup, we see execve — safe calls.

I suppose you could do it that way.  If you wanted the easy way to find out what was actually going on.  But then you wouldn’t get to write any crudimentary Java code – and what fun would that be?  That’s actually a great idea.

Does that mean that you don’t need to validate input that is being sent to command interpreters on Java and .NET?  No.  Failing to do this can still give attackers control over command line arguments and filenames.  Plus there may be other ways to break out of this that my 60 lines of Java or C# test code and 15 test cases didn’t find.  (What a surprise that would be!)  Sleep a little better at night.  But not too well.

–Dan
dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

One Response to “Command Injection in .NET: 82% Proven that is 98% Impossible”

  1. Louvenia

    Hmm it looks like your site ate my first comment (it was extremely long) so I guess I’ll just sum it up what I had written and say, I’m thoroughly enjoying your blog. I too am an aspiring blog blogger but I’m still new to everything. Do you have any points for rookie blog writers? I’d really appreciate it.

Leave a Reply

Your email address will not be published. Required fields are marked *