0

I am writing a console application , which accepts a command line argument and runs a bat file. I use process.start() for running a bat file. Example code snippet below

 static void Main(string[] args)
        {
            string Folder = @"C:\Program Files\Somefolder";
            string filename = "someBatFile.bat";
            Process proc = null;
            try
            {
                string complexityRules = @"^(?=.*[0-9])(?=.*[A-Za-z])(?=.*[!@#$%&*-+=^]).{12,}$";
               
                if (Regex.IsMatch(args[0], complexityRules))
                {
                    string batDir = string.Format(Folder);
                    proc = new Process();
                    proc.StartInfo.WorkingDirectory = batDir;
                    proc.StartInfo.FileName = filename;
                    if (args[0] != null)
                    {
                        proc.StartInfo.Arguments = args[0];
                    }
                    proc.StartInfo.CreateNoWindow = false;
                    proc.StartInfo.UseShellExecute = false;
                    proc.Start();
                    proc.WaitForExit();
                }


            }
            catch (Exception ex)
            {
                //will be catching exceptions if any 

            }
        }

I have read some links in web , so used regex for validating an argument before sending it has parameter for process.start() to avoid attack. Even then I get OS command line injection attack(From third party security testing scanner). Am I missing something? Any help appreciated. Thanks in Advance:)

Karthik Karnam
  • 170
  • 11
  • What are the valid arguments and which ones do you want to prevent? – PMF Jun 23 '21 at 19:05
  • The program uses only 1 argument from command-line, It is password, which is given by user. I am validating the same. – Karthik Karnam Jun 24 '21 at 04:12
  • I'm not sure this regex rule works as expected, but anyway: What do you mean by "command line injection attack"? If the argument matches the rule, it is forwarded as-is, and the batch file needs to handle whatever it is (which could be problematic, if the argument contains quotes and spaces) – PMF Jun 24 '21 at 04:47
  • Regarding Command Line injection, check this [link] https://dotnet-security-guard.github.io/SG0001.htm . Ok forget about regex rule used. I tried using other rules , like allowing only if Alphabets are present in argument. Even then our scanner, shows command line injection vulnerability. – Karthik Karnam Jun 24 '21 at 04:58
  • 1
    Oh. Why didn't you write before that you get this warning _from a tool_? That would have made things easier. I guess this is a shortcomming of the detection. Try copying args[0] into a local variable and use that for validation. – PMF Jun 24 '21 at 07:43
  • (I have edited regarding tool). Tried this. It didn't work :( @PMF – Karthik Karnam Jun 24 '21 at 15:16
  • Karthik, were you able to figure it out? Thank you. – dailyUnknown Jan 12 '23 at 19:30
  • Hi @dailyUnknown, According to guideline, We must not start any process with command line arguments. Even though u validated the arguments. So if we want to really ignore this attack, either stop using Process.start() or treat that has false positive (only after validating all arguments) . – Karthik Karnam Feb 07 '23 at 06:35

0 Answers0