Local command injection for C# console applications

cldrn commented 1 year ago

Query PR

https://github.com/github/codeql/pull/13551

Language

C#

CVE(s) ID list

Not publicly disclosed yet. I will be submitting more reports to projects affected by this issue.

CWE

CWE-078

Report

This query extends the possibility of detecting command injection bugs in C# console applications. Current command injection query does not detect this pattern.
Code that passes user input from local sources directly to System.Diagnostic.Process.Start, or some other library routine that executes a command, allows the user to execute malicious code. Added a local flow to consider program arguments used in console applications.
I extended and replicated what we have for external sources but added new sources for local arguments.
In my testing, I didn't see any false positives.
Additional information can be shared privately :)

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

[X] Yes
[ ] No

Blog post link

I could write a blog post similar to https://websec.ca/publication/Blog/CVE-2022-21404-Another-story-of-developers-fixing-vulnerabilities-unknowingly-because-of-CodeQL

ghsecuritylab commented 1 year ago

Your submission is now in status Query review.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

ghsecuritylab commented 1 year ago

Your submission is now in status Closed.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

pwntester commented 1 year ago

Hi @cldrn, Im sorry but, after careful discussion, we have decided to not accept the submission for the bounty program. The main reason is that it basically adds local sources to an existing query which lowers the scope and does not make the cut

github / securitylab