Command Injection (shell command injections)

-




 Malicious code injected and executed in any OS or program typically web servers. It occurs when the program has no input validation

- The input from the users are used whether directly or indirectly as parameters to the later system command function call such as exec() or system() by the program to
    - send confirmation/notification emails, or
    - create directory to host users submitted data


Consequences
    - Attacker can run any arbitrary(code of choice) code to the target machine
    - Victim Machine can be hijacked
    - Credentials can be stolen

- With command injection, the hackers can read out the local passwords and credentials (such as database access accounts) managed by the web server.

- Because the web server is typically run with apache or nobody account, it cannot read /etc/shadow which is owned by root account and contains Unix system passwords.


Who can do this: Any one can do this. It does not require programming. Any one with the reach of the web site can attack.

Security Weakness in terms of prevalence: It appears in many legacy web app code, including server side scripts with OS function calls, SQL queries.

Technical Impacts: It can result in data loss or corruption. It can result in complete host take over (hijacked).

Types:
    1. Command Injections
    2. Cross Site Scripting (XSS)
    3. LDAP Injections
    4. XPath Injections


Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell.

shell command injections” or “OS (Operating System) command injections”, because this type of attack, occurs when the application invokes the operating system shell (shell commands on Unix Based Systems, command prompt shell on Windows).

Command injection vulnerabilities can be also found in IoT devices. As a matter of fact, while other types of code injection are not relevant in IoT, such as SQL injections, since these devices do not include a database.
This is due to the fact that IoT devices run an embedded OS (i.e., typically Linux), thus executing system commands.

SHELLSHOCK bug is an example of command injection which was discovered in 2014.

Apart from Shellshock, in the past many well-known and widely deployed web applications have been discovered to be vulnerable to command injection attacks including Citrix Access Gateway, Symantec Web Gateway, IBM Tealeaf CX and Sophos Web Protection Appliance.

The above observations are clear indications that command injections attacks are one of the most dangerous class of code injections attacks that can be found nearly in all network devices that handle input data.


Command injection attacks are OS-independent that can occur in Windows, Linux, or Unix operating systems as well as programming language-independent that may occur in applications written in various programming languages (such as C, C++, C#, JAVA, PHP, Perl, Python, Ruby etc.) or web-based applications written in Web Application Frameworks (such as ASP.NET, CGI, Python Django, Ruby on Rails etc.). The main reason that an application is vulnerable to command injection attacks is due to incorrect or complete lack of input data validation by the application itself.

Types:

1. Results-basedcommand injections


the data is retrieved after the execution of the injected shell command.
Attacker can directly infer the result of the injected command through the response of the web application.

1.1. Classicresults-basedcommand injection
attacker makes use of several common operators, which either concatenate the initial genuine commands with the injected ones or exclude the initial genuine commands executing only the injected ones.

2. Dynamic code injection
it

happens when a the vulnerable we application uses the “eval()” function that is used to execute the given code at the runtime.

what is eval() 
eval()”function is used to interpret a given string as code. The “eval()”function is provided by many interpreted languages such as Java, Javascript, Python, Perl, PHP and Ruby.


3. Blind command injection


Sometimes when an attacker injects the shell code, it executes but it returns no result so in this case he/she uses two technique of blind command injection. Time bases, File bases technique.

1.2. Time based technique or sleep()
an attacker injects a and executes a command but the execution will delay according to the given time period. by measuring the time of its response, attacker will be able to identify that the application is vulnerable to time bases command.

4. File based

How to Prevent OS Command injection?


  • First. Implement input validation. Exit right away when detecting patterns outside the range of the legitimate inputs. 
  • Validating against a whitelist of permitted values that make sure that these malicious characters are not among the whitelisted (& and |).
  • Validating that the input is a number.
  • Validating that the input contains only alphanumeric characters, no other syntax or whitespace.

Cyber Security Design Pattern for Avoiding Command Injection Vulnerability


Cyber Security Design Pattern for Avoiding Command Injection Vulnerability


Two rules in this Cyber Security Design Pattern A:
  1. First. Implement input validation. Exit right away when detecting patterns outside the range of the legitimate inputs.
  2. Second. Replace generic system() or exec() type calls with equivalent of specific API such as mail(), mkdir() where the parameters cannot be interpreted as OS commands.


Regular Expression for validating email 


if(!preg_match("/^[a-zA-Z0-9.]+\@[a-zA-Z0-9.]+$/", $email)) {print "incorrect email format. </body></html>";
exit(0);

  • Preg_match is a function call available on php (a server side script langugae with syntax similar to C)
  • "/^[a-z-A-Z0-9.]+\@[a-zA-Z0-9.]+$/" is the pattern allowed. The email input must have @ in the middle. &, | are not allowed.
  • If the pattern does not match, the program exit right away!!


Reference: https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A1-Injection

 Tool to detect OS command injection      
Commixis:
is capable of detecting, with high success rate, whether a web application is vulnerable to command injection attacks.

Comments

Post a Comment

Popular posts from this blog

Solving Computer Forensics Case Using Autopsy

-
Image
  Computer Forensics is the well-planned series of procedures and techniques used for obtaining evidence from computer systems and storage media. This evidence can then be analyzed for relevant information that is to be presented in a court of law. This article focused on a particular case and a forensic tool to give you a ‘feel’ of what computer forensics investigations are like. However, it is in no way comprehensive enough to cover the variety of problems and complications faced by the investigator.   Scenario  A complaint was made to the authorities describing alleged Wi-Fi hacking activity. When the authorities reached the spot, they found an abandoned Dell computer which is suspected that this computer was used for hacking purposes. Schardt uses "Mr.Evil" nickname when he goes online. He is also accused of parking his car in wireless range (like Starbucks and other T-Mobile Hotspots) where he would then intercept internet traffic, attempting to get credit card numb...
Read more

Pentesting - Exploitation Guide Metasploitable 1

-
Image
Metasploitable Metasploitable is an Ubuntu 8.04 server installed on a VMWare 6.5 image with a number of vulnerable packages included, which can be run on most virtualization software. You can grab your copy at Vulnhub – Metasploitable I used Kali Linux for attacking and VirtualBox for virtualization. Information Gathering nmap is a great tool for scanning ports and finding network services on a machine. We will run nmap with the following options: -sV to probe open ports for service and version info -O to fingerprint and try to guess the operating system -p1-65535 to do a complete port scan root@kali:~# nmap -sV -O 192.168.0.14 -p1-65535 Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-12 16:46 MDT Nmap scan report for 192.168.0.14 Host is up (0.00073s latency). Not shown: 65522 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.1 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd 53/tcp open...
Read more

The Main Cyber Threats Facing the Aviation Industry

-
Image
  Introduction The aviation industry, one of the most critical sectors in global transportation, is heavily dependent on interconnected technologies, which also makes it a lucrative target for cybercriminals. With each advancement in technology, there comes a new set of cyber risks that threaten the confidentiality, integrity, and availability of essential systems in the aviation ecosystem. The consequences of cyberattacks on the aviat ion industry can be catastrophic, ranging from flight delays to data breaches, physical harm to passengers, and even financial devastation for airlines and airports. As technology continues to evolve in aviation, so too do the cybersecurity challenges. In this comprehensive blog, we will explore the major cyber threats in the aviation industry and dive into best practices, standards, and risk assessments to mitigate these threats. 1. Overview of Cyber Threats in Aviation The aviation industry is complex, involving many interdependent systems such as ...
Read more