0

In my java class I am running following command for establishing a network connection to server like:

Process process = runtime.exec("net use \"\\\\External\path\download.zip\" password /user:username");

Above, password and username are accepted from user.

As, above process runs with system privileges attacked can use command separators (&, &&, ;, ||, () etc.) and execute multiple commands in above single statements.

I went though this which majorly tasks about changing privileges of the executing command and white listing or black listing user input.

Now, my problem is username and password both can contain any combination of charters, so I can not black list (&, &&, ;, ||, () etc.) and runtime.exec runs in system mode so I am not able to come to a solution.

I have already thought of using ProcessBuilder but runtime.exec calls same code after fragmenting command on spaces. So, this is not of any help.

Also, I do not want to introduce 3rd party library to solve this issue but if that is the only solution then I have to accept it.

If I can remove usage of runtime.exec for establishing network connection then it would be great.

Community
  • 1
  • 1
quintin
  • 812
  • 1
  • 10
  • 35
  • which attacker? how could the attacker access this command and modify it ? – Yazan Jul 12 '17 at 12:19
  • Not really a java problem. You are basically allowing user to input whatever it wants, I don't really see a solution other than sanitization here. – cen Jul 12 '17 at 12:46
  • Use [jCIFS](https://jcifs.samba.org/) and access the files with pure Java? – Elliott Frisch Jul 12 '17 at 12:48
  • @Yazan I am trying to establish a connection here to external location/server path with its user name and password. So, user can enter anything, which is getting appended in command. – quintin Jul 12 '17 at 14:26
  • @cen As the username and password are external to my application I really can not restrict user from entering a certain vulnerable combination because that might be the user's password or user name. – quintin Jul 12 '17 at 14:28
  • @ElliottFrisch shall be looking into jCIFS – quintin Jul 12 '17 at 14:30
  • @ElliottFrisch jCIFS is not a very straight forward solution and I am not able to figure out how to achieve above functionality with it. – quintin Jul 13 '17 at 06:45

0 Answers0