I have a C coding homework to test for some command injection vulnerability?

I was given this lab, but I don't know exactly what he is asking. Here is the task for the lab:


Task 2:


Using the gcc compiler provided with Cygwin, create a program (commandinject.c) that contains the code below.





#include %26lt;stdio.h%26gt;


#include %26lt;unistd.h%26gt;


int main(int argc, char **argv) {


char cat[] = ';cat ';;


char *command;


size_t commandLength;


commandLength = strlen(cat) + strlen(argv[1]) + 1;


command = (char *) malloc(commandLength);


strncpy(command, cat, commandLength);


strncat(command, argv[1], (commandLength - strlen(cat)) );


system(command);


return (0);


}





Execute your program with the addition of a parameter that is a filename of a text file that the program will perform a “cat” on. For example, I used the following command on my program: ./commandinject commandinject.c.


I have a C coding homework to test for some command injection vulnerability?
The program as given takes a parameter, adds ';cat '; to the start of it, and then executes it.





If it was run as ./commandinject commandinject.c then all that would happen is that you'll see the contents of commandinject.c printed.





on the other hand, if it was called as:





./commandinject ';commandinject.c %26gt;temp.txt'; what happens is that it'll execute the command





cat commandinject.c %26gt;temp.txt





and create a temp.txt file (or overwrite a file that was already there). Similarly using pipes you could execute arbitrary commands as part of this.





This is called command injection because you've injected a command into a program that wasn't expecting to do anything dangerous.I have a C coding homework to test for some command injection vulnerability?
Perhaps the teacher was thinking of one of two approaces to injecting code into the application.


So, generate a system() call that passes more than 255 characters to the command (which is supposed to be a limitation of DOS). Or possibly pass the name of a file that has an extremely long line of text that is random characters but finishes with a piece of code that you're trying to inject into the application. This would be buffer overload injection.
I don't think this is a buffer overload issue.





Basically, all they have asked you to do is compile the program and run it, just as you said.





now, the vulnerability that exists is that you could call it with something like:





./commandinject ';myaccount.txt /etc/passwd';





and if it ran with root privs you could create your own root account and access the entire system.