Command Injection
Description:
When an attacker attempts to execute system level commands
through a vulnerable web application. Applications are considered vulnerable to
the OS command injections.
Command Injection is an attack technique used for
unauthorized execution of operating system commands and it is also known as Os
command Injection. Command injection is an attack in which the goal is
execution of arbitrary commands on the host operating system via a vulnerable
application. Command injection attacks are possible when an application passes
unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system
shell.
In this attack, the attacker-supplied operating system
commands are usually executed with the privileges of the vulnerable
application.
These high-impact attacks basically involve the injecting of
malicious commands into valid commands. Meta-characters (&, |, //;) are
usually used to merge commands and create malicious OS Command Injections
Command injection attacks are possible largely due to
insufficient input validation.
This attack differs from Code Injection, in that code
injection allows attackers to add their own code that is then executed by the
application. In code injection, the attacker extends the default functionality
of the application without the necessity of executing system commands.
OS Command injection examples:
For demo purpose we are taking example on DVWA application.
In this example of the command injection vulnerability we
are using the ping functionality which is notoriously insecure on many routers.
A common function that passes an IP address the user specifies to the system's
ping command. Since it is possible to break out of the ping command or provoke
an error with useful information the attacker can use this functionality to
execute his own commands.
In the above example, first the ping command is executed and
directly after that the dir command is executed, therefore the response shown on
the page.
We are putting 127.0.0.1
&& dir in ping functionality (Injection point) in above example. As
u see we have get ping response and directory of server response. It is
vulnerable to command execution.
Preventing Command Injection:
There are several strategies for avoiding and/or mitigating
Command Injection vulnerabilities. In
order of importance, they are: Preventing command injection is similar to
preventing SQL injection.
The developer must escape the user input appropriately
before running a command with that input. It may seem like escaping semicolon
(;) to backslash-semicolon (\;) would fix the problem. However, the attacker
could use double-ampersand (&&) or possibly double-bar (||) instead of
the semicolon. The escaping routine is heavily dependent on the shell executing
the command. So developers should use an escape routine for the shell command
rather than creating their own routine.
Validate untrusted inputs.
Use “whitelist
validation”, which means that the application verifies that the input conforms
to what it accepts and rejects everything else.
Input Validation can
include validation of the inputs:
Character set
Minimum and maximum length
Numeric bounds
Date bounds
Match to a Regular Expression Pattern
Membership in a discrete set (e.g. US States, list of
colors, salutations, etc. )
Neutralize meta-characters that have meaning in the target
OS command-line:
Implement “Least Privilege”: Although it will not help
prevent or avoid Command Injection vulnerabilities, restricting the power (i.e.
permissions) of the account used to execute OS commands will help mitigate the
potential damage.
Thank you.
Note: Information showing on this blog is only use for educational purpose.
No comments