Command injection (or OS Command Injection) is a type of injection where the software, that constructs a system command using externally influenced input, does not correctly neutralizes the input from special elements that can modify the initially intended command.
For example, if the supplied value is: Black friday capture one.
The command and each of the arguments are passed separately. This make it easy to validated each term and reduces the risk to insert malicious strings. ProcessBuilder pb = new ProcessBuilder( 'TrustedCmd', 'TrustedArg1', 'TrustedArg2' ); Map env = pb.environment; pb.directory( new File( 'TrustedDir' )); Process p = pb.start. JSON Web Token (JWT) Cheat Sheet for Java; Input Validation; Insecure Direct Object Reference Prevention; JAAS; Key Management; LDAP Injection Prevention; Logging; Mass Assignment Cheat Sheet.NET Security; OS Command Injection Defense Cheat Sheet; OWASP Top Ten; Password Storage; Pinning; Query Parameterization; REST Security; Ruby on Rails.
when typed in a Windows command prompt, the application Calculator is displayed.
However, if the supplied value has been tempered with, and now it is:
Command injection is a serious vulnerability that allows malicious actors to execute commands on the host operating system. This vulnerability is typically discovered using common security tools and scanners, such as Burp Suite. TCell protects your application from command injection attacks by monitoring all commands that your application issues to the operating system,. OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data.
When execute, it changes the meaning of the initial intended value.
Now, both the Calculator application and the value test are displayed:
The problem is exacerbated if the compromised process does not follow the principle of least privilege principle and attacker-controlled commands end up running with special system privileges that increases the amount of damage.
Defense Option 1: Avoid calling OS commands directly
The primary defense is to avoid calling OS commands directly. Built-in library functions are a very good alternative to OS Commands, and they cannot be manipulated to perform tasks other than those it is intended to do.
For example use
mkdir()
instead of system(“mkdir /dir_name”)
.If there are available libraries or APIs for the language you used, this is the preferred method.
Defense option 2: Escape values added to OS commands specific to each OS
TODO: To enhance.
For examples, see escapeshellarg() or escapeshellcmd() in PHP.
Defense option 3: Parametrization in conjunction with Input Validation
If it is considered unavoidable the call to a system command incorporated with user-supplied, the following two layers of defense should be used within software in order to prevent attacks
Layer 1
Parametrization: If available, use structured mechanisms that automatically enforce the separation between data and command. These mechanisms can help to provide the relevant quoting, encoding.
Layer 2
Input validation: The values for commands and the relevant arguments should be both validated. There are different degrees of validation for the actual command and its arguments:
- When it comes to the commands used, these must be validated against a whitelist of allowed commands.
- In regards to the arguments used for these commands, they should be validated using the following options:
- Positive or whitelist input validation: Where are the arguments allowed explicitly defined.
- White list Regular Expression: Where is explicitly defined a whitelist of good characters allowed and the maximum length of the string. Ensure that metacharacters like ones specified in
Note A
and white-spaces are not part of the Regular Expression. For example, the following regular expression only allows lowercase letters and numbers, and does not contain metacharacters. The length is also being limited to 3-10 characters:^[a-z0-9]{3,10}$
Note A:
On top of primary defences, parameterizations and input validation, we also recommend adopting all of these additional defenses in order to provide defense in depth.
These additional defenses are:
- Applications should run using the lowest privileges that are required to accomplish the necessary tasks.
- If possible, create isolated accounts with limited privileges that are only used for a single task.
Java
In Java, use ProcessBuilder and the command must be separated from its arguments.
Note about the Java's
Runtime.exec
method behavior:There are many sites that will tell you that Java's
Runtime.exec
is exactly the same as C
's system function. This is not true. Both allow you to invoke a new program/process. However,
C
's system function passes its arguments to the shell (/bin/sh
) to be parsed, whereas Runtime.exec
tries to split the string into an array of words, then executes the first word in the array with the rest of the words as parameters. Runtime.exec
does NOT try to invoke the shell at any point and do not support shell metacharacters. The key difference is that much of the functionality provided by the shell that could be used for mischief (chaining commands using
&
, &&
, |
, ||
, etc, redirecting input and output) would simply end up as a parameter being passed to the first command, and likely causing a syntax error, or being thrown out as an invalid parameter.Code to test the note above:
Result of the test:
Incorrect usage:
In this example, the command together with the arguments are passed as a one string, making easy to manipulate that expression and inject malicious strings.
Correct Usage:
Here is an example that starts a process with a modified working directory. The command and each of the arguments are passed separately. This make it easy to validated each term and reduces the risk to insert malicious strings.
.Net
In .Net use System.Diagnostics.Process.Start to call underlying OS functions.
PHP
In PHP use escapeshellarg() or escapeshellcmd() rather than exec(), system(), passthru().
Description of Command Injection Vulnerability
- OWASP Command Injection.
How to Avoid Vulnerabilities
- C Coding: Do not call system().
How to Review Code
- OWASP Reviewing Code for OS Injection.
How to Test
- OWASP Testing Guide article on Testing for Command Injection).
External References
- CWE Entry 77 on Command Injection.
Katy Anton - [email protected]
Jim Manico - [email protected]
An Operating System (OS) command injection attack occurs when an attacker attempts to execute system level commands through a vulnerable web application. Applications are considered vulnerable to the OS command injections if they can be manipulated into executing unauthorized system commands via the web interface.
What is OS Command injection?
These high-impact attacks basically involve the injecting of malicious commands into valid commands. Meta-characters (&, |, //;) are usually used to merge commands and create malicious OS Command Injections.
Just like SQL injections, OS Command injections can be either blind or error-based, with error-based ones being more severe due to their transparent and obvious nature.
OS Command injection examples
This example is a web application that intends to perform a DNS lookup of a user-supplied domain name. It is subject to the first variant of OS command injection.
}
Suppose an attacker provides a domain name like this: cwe.mitre.org%20%3B%20/bin/ls%20-l
Os Command Injection Cheat Sheet 2019
The “%3B” sequence decodes to the “;” character, and the %20 decodes to a space. The open() statement would then process a string like this: /path/to/nslookup cwe.mitre.org ; /bin/ls -l
As a result, the attacker executes the “/bin/ls -l” command and gets a list of all the files in the program’s working directory. To make matters worse, a more dangerous payload can be crafted to perform more severe malicious actions.
This code didn’t validate or sanitize the user input before using it in the execute command. Hence the attacker was able to run the desired command on the server.
This code didn’t validate or sanitize the user input before using it in the execute command. Hence the attacker was able to run the desired command on the server.
How to prevent OS Command Injection attacks?
Ideally, a developer should use existing APIs for their relevant programming languages.
For example, while programming with Java, the developer should use the available Java API located at javax.mail.*. If no such available API exists, the developer should validate the input using Regex or a whitelist of accepted values. This is much better than using Runtime.exec() (see code below) to issue a ‘mail’ command.
When it’s not technically possible to remove the command execution, the best way to stay protected is to execute only static strings that do not include user input.
Preventing OS Command Injection attacks with CxSAST
Os Command Injection Reverse Shell
CxSAST searches and warns about any user input that affects a command execution without being validated or sanitized beforehand.