ccurtsinger Stabilizer Command Injection Vulnerability in szc Script Allowing Remote Code Execution

A command injection vulnerability has been identified in the szc script of the ccurtsinger/stabilizer repository. This vulnerability allows remote attackers to execute arbitrary system commands by exploiting unsanitized user input that is passed to the os.system() function. The issue stems from inadequate input validation, as command-line arguments are directly appended to shell commands without proper scrutiny. The vulnerability affects the Stabilizer project, which is designed for performance evaluation on modern architectures, and arises when the szc compiler driver is used with untrusted input.

Impact

Exploitation of this vulnerability allows for remote code execution on the system where the Stabilizer szc script is executed.

Reproduction

To reproduce this vulnerability, run the szc script with the -o option followed by a filename that includes shell metacharacters, such as a semicolon. The specified command will be executed on the system, confirming the successful exploitation of the command injection vulnerability.

Remediation

Users are advised to sanitize all input to remove shell metacharacters before passing it to os.system(). Additionally, consider replacing os.system() with the subprocess module, which allows for safer execution of system commands by using a list of arguments instead of a single string, preventing shell interpretation.