Scribd
Upload
6 views6 pages

OS Command Injection

Uploaded by

Vojislav Pavlovic
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
6 views6 pages

OS Command Injection

Uploaded by

Vojislav Pavlovic
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

OS COMMAND INJECTION

What is OS Command Injection?


OS Command Injection, also known as shell injection, is a type of web security vulnerability
that allows an attacker to execute arbitrary operating system (OS) commands on the server
hosting the application. This is typically achieved by manipulating input data to include OS
commands, which the application then inadvertently passes to a system command interpreter.

Example

The following code is a wrapper around the UNIX command cat which
prints the contents of a file to standard output. It is also injectable:

#include <stdio.h>
#include <unistd.h>

int main(int argc, char **argv) {


char cat[] = "cat ";
char *command;
size_t commandLength;

commandLength = strlen(cat) + strlen(argv[1]) + 1;


command = (char *) malloc(commandLength);
strncpy(command, cat, commandLength);
strncat(command, argv[1], (commandLength - strlen(cat)) );

system(command);
return (0);
}

Used normally, the output is simply the contents of the file requested:

$ ./catWrapper Story.txt
When last we left our heroes...

However, if we add a semicolon and another command to the end of this


line, the command is executed by catWrapper with no complaint:
$ ./catWrapper "Story.txt; ls"
When last we left our heroes...
Story.txt doubFree.c nullpointer.c
unstosig.c www* a.out*
format.c strlen.c useFree*
catWrapper* misnull.c strlength.c useFree.c
commandinjection.c nodefault.c trunc.c writeWhatWhere.c

If catWrapper had been set to have a higher privilege level than the standard
user, arbitrary commands could be executed with that higher privilege

How do you find it?


Finding OS Command Injection vulnerabilities involves a systematic approach to input
validation testing. This includes:

1. Identifying all user-supplied data, including URL parameters, form fields, and headers.

2. Testing these inputs with a variety of payloads that could indicate the presence of a
command injection vulnerability. For example, attempting to inject OS commands
using metacharacters such as ;, &, |, and >.

3. Observing the application's behavior for any signs of command execution, such as
unexpected system responses or delays.

What is the difference between Command Injection and Code Injection?


Command Injection and Code Injection are two different types of vulnerabilities that can
occur in software applications.

Command Injection is a type of vulnerability that allows an attacker to execute arbitrary


system commands on the underlying operating system. This is typically achieved by injecting
operating system commands through an input field or parameter in the application. The
impact of Command Injection can be severe, as it can lead to unauthorized access, data theft,
and system compromise.

Code Injection, on the other hand, is a type of vulnerability that allows an attacker to inject
and execute arbitrary code in the application's runtime environment. This is typically achieved
by exploiting a vulnerability in the application's input validation or parsing mechanisms. The
impact of Code Injection can also be severe, as it can lead to unauthorized access, data theft,
and system compromise.

The main difference between Command Injection and Code Injection is the type of code that
is executed. In Command Injection, the attacker executes operating system commands, while
in Code Injection, the attacker executes application-level code.

Another key difference is that Command Injection typically requires the attacker to have a
lower level of knowledge about the target system, as they can simply inject and execute
operating system commands. Code Injection, on the other hand, typically requires the
attacker to have a higher level of knowledge about the target application and its runtime
environment, as they need to inject and execute application-level code.

Examples of Command Injection include injecting operating system commands through an


input field in a web application, while examples of Code Injection include injecting and
executing malicious code in an application's runtime environment, such as injecting SQL code
in a SQL injection attack.

To prevent Command Injection and Code Injection, it is important to perform proper input
validation, sanitization, and output encoding, and to use secure coding practices such as
parameterized queries and input/output filtering. It is also important to keep software up-to-
date and to apply security patches promptly.

What is the impact?


OS Command Injection is a type of vulnerability that occurs when an application passes user-
inputted data to a system shell or command interpreter without proper sanitization or
validation. This allows an attacker to inject malicious system commands, potentially leading
to unauthorized access, data tampering, or even complete system compromise.

Impact of OS Command Injection:

1. Data Tampering

An attacker can inject commands to modify or delete sensitive data, leading to data loss or
corruption.

2. Unauthorized Access

Malicious commands can be injected to gain unauthorized access to the system, allowing an
attacker to escalate privileges or access restricted areas.

3. System Compromise
In extreme cases, an attacker can inject commands to take control of the entire system,
leading to a complete compromise of the system's security.

4. Denial of Service (DoS)

An attacker can inject commands to consume system resources, leading to a denial of service
or system crash.

5. Lateral Movement

An attacker can use OS Command Injection to move laterally within the system, accessing
other systems or networks.

How do you mitigate it?


Mitigating OS Command Injection vulnerabilities involves several best practices:

1. Input validation: Thoroughly validate all user-supplied data to ensure it conforms to


expected formats and does not contain any potentially harmful characters.

2. Least privilege principle: Run web applications and services with the minimum
necessary privileges, limiting the potential impact of any successful command
injection attacks.

3. Secure APIs: Use secure APIs and libraries wherever possible, rather than directly
invoking OS commands.

4. Defensive coding: Implement defensive coding practices, such as using


parameterized queries and avoiding the use of system() or eval() functions.

5. Regular updates and patching: Keep all systems, applications, and libraries up-to-
date and apply security patches promptly.
References
1. OWASP - Command Injection: https://owasp.org/www-
community/attacks/Command_Injection

2. PortSwigger Web Security - OS Command Injection: https://portswigger.net/web-


security/os-command-injection

3. MITRE - Command Injection (CWE-78): https://cwe.mitre.org/data/definitions/78.html

4. SANS - Command Injection Cheat


Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Command_Injection_Prevention_
Cheat_Sheet.html

5. NIST - Command Injection


Vulnerabilities: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
114r1.pd

Mokshith
Intern Trainee
CyberSapiens

You might also like