Date: Fri, 29 Mar 2024 15:35:43 +0100 (CET) Message-ID: <20445469.1358.1711722943339@localhost> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_1357_1603375878.1711722943339" ------=_Part_1357_1603375878.1711722943339 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
This guide explains OS Command injection in more detail.
Contents:
CWE-78 describes OS Command Injection = as follows:
=E2=80=9CThe software constructs all or part of an OS comma= nd using externally-influenced input from an upstream compone= nt, but it does not neutralize or incorrectly neutralizes special elements = that could modify the intended OS command when it is sent to a downstream c= omponent.=E2=80=9D
OS Command injection is, therefore, an attack in which the goal is= the execution of arbitrary commands on the host operating system.= p>
These attacks are possible when an application passes unsafe user-= supplied data (forms, cookies, HTTP headers, etc.) to a system shell, which= is usually executed with the privileges of the vulnerable application.
The impact of command injection attacks ranges from loss of data c= onfidentiality and integrity (such as accessing resources without proper pr= ivileges) to unauthorized remote access to the system that hosts the vulner= able application (being able to perform malicious actions such as delete fi= les, add new users, etc.).
Unlike other injection attacks based on specific languages, comman= d injection attacks can occur in any OS (Windows and Unix-based) and affect= any programming language that might call OS commands (C/C++, Java, PHP, et= c.).
The first remediation should go in the direction of us= ing API calls instead of external commands (if possible) or = ;to ensure that the application runs under a non-privileged account = with rights for the intended commands.
Anyway, the main reason that an application is vulnerable to comma= nd injection attacks is due to incorrect or insufficient input data validat= ion by the application. Therefore, the sanitization of = user input should always be done.
In the case of a web app, the URL and form data needs to be saniti=
zed for invalid characters. A blacklist
Let=E2=80=99s have a look at this very basic example. As you can s= ee, user data is collected through program arguments and directly used to c= onstruct an OS command.
public = class commandInjection { public static void main(String[] args) throws InterruptedException, = IOException { String dir =3D args[0]; Runtime rt =3D Runtime.getRuntime(); =20 Process proc =3D rt.exec("cmd.exe /C dir " + dir); int result =3D proc.waitFor(); if (result !=3D 0) { System.out.println("process error: " + result); } InputStream in =3D (result =3D=3D 0) ? proc.getInputStream() : proc.getErrorStream(); int c; while ((c =3D in.read()) !=3D -1) { System.out.print((char) c); } } }
It=E2=80=99s easy to imagine the result of running this program with the= next arguments:
"c:\tmp= > dir.txt & type c:\Windows\system.ini"
In this example, the program will display the system.ini configuration f= ile, but the most important thing is that the attacker gains full control o= n what to do in the attacked system. It=E2=80=99s an open door, a smart hac= ker will take full advantage of it, no doubt about it.
If you use Kiuwan for Developers, you will be automatically alerted of t= he vulnerability, with an indication of the sink and the source of the inje= ction.
As said above, a check of user data against a whitelist containing only = allowed characters (or command list) will remediate the vulnerability.
if (Pat= tern.matches("[0-9A-Za-z@.]+", dir)) { =09Process proc =3D rt.exec("cmd.exe /C dir " + dir); }
In Kiuwan, you can search rules covering OS Command Injection (CWE-78) f= iltering by
Kiuwan incorporates the following rules for OS Command Injection (CWE-78= ) for the following languages.
To obtain detailed information on functionality, coverage, parameterizat= ion, remediation, example codes, etc., follow the same steps as described i= n SQL Injection.&nbs= p;
Language |
Rule code |
---|---|
Abap |
OPT.ABAP.SEC.CommandInjection |
C |
OPT.C.CERTC.ENV04 |
OPT.C.CERTC.STR02 |
|
C# |
OPT.CSHARP.CommandInjection |
C++ |
OPT.CPP.CERTC.ENV04 |
OPT.CPP.CERTC.STR02 |
|
Cobol |
OPT.COBOL.SEC.OSCommandInjection |
Java |
OPT.JAVA.SEC_JAVA.CommandInjectionRule |
Javascript |
OPT.JAVASCRIPT.CommandInjection |
Objective-C |
OPT.OBJECTIVEC.DoNotUseSystem |
PHP |
OPT.PHP.CommandInjection |
Python |
OPT.PYTHON.SECURITY.CommandInjection |
RPG IV |
OPT.RPG4.SEC.OSCommandInjection |
Swift |
OPT.SWIFT.SECURITY.CommandInjection |