Command Injection (shell command injections)





 Malicious code injected and executed in any OS or program typically web servers. It occurs when the program has no input validation

- The input from the users are used whether directly or indirectly as parameters to the later system command function call such as exec() or system() by the program to
    - send confirmation/notification emails, or
    - create directory to host users submitted data


Consequences
    - Attacker can run any arbitrary(code of choice) code to the target machine
    - Victim Machine can be hijacked
    - Credentials can be stolen

- With command injection, the hackers can read out the local passwords and credentials (such as database access accounts) managed by the web server.

- Because the web server is typically run with apache or nobody account, it cannot read /etc/shadow which is owned by root account and contains Unix system passwords.


Who can do this: Any one can do this. It does not require programming. Any one with the reach of the web site can attack.

Security Weakness in terms of prevalence: It appears in many legacy web app code, including server side scripts with OS function calls, SQL queries.

Technical Impacts: It can result in data loss or corruption. It can result in complete host take over (hijacked).

Types:
    1. Command Injections
    2. Cross Site Scripting (XSS)
    3. LDAP Injections
    4. XPath Injections


Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell.

shell command injections” or “OS (Operating System) command injections”, because this type of attack, occurs when the application invokes the operating system shell (shell commands on Unix Based Systems, command prompt shell on Windows).

Command injection vulnerabilities can be also found in IoT devices. As a matter of fact, while other types of code injection are not relevant in IoT, such as SQL injections, since these devices do not include a database.
This is due to the fact that IoT devices run an embedded OS (i.e., typically Linux), thus executing system commands.

SHELLSHOCK bug is an example of command injection which was discovered in 2014.

Apart from Shellshock, in the past many well-known and widely deployed web applications have been discovered to be vulnerable to command injection attacks including Citrix Access Gateway, Symantec Web Gateway, IBM Tealeaf CX and Sophos Web Protection Appliance.

The above observations are clear indications that command injections attacks are one of the most dangerous class of code injections attacks that can be found nearly in all network devices that handle input data.


Command injection attacks are OS-independent that can occur in Windows, Linux, or Unix operating systems as well as programming language-independent that may occur in applications written in various programming languages (such as C, C++, C#, JAVA, PHP, Perl, Python, Ruby etc.) or web-based applications written in Web Application Frameworks (such as ASP.NET, CGI, Python Django, Ruby on Rails etc.). The main reason that an application is vulnerable to command injection attacks is due to incorrect or complete lack of input data validation by the application itself.

Types:

1. Results-basedcommand injections


the data is retrieved after the execution of the injected shell command.
Attacker can directly infer the result of the injected command through the response of the web application.

1.1. Classicresults-basedcommand injection
attacker makes use of several common operators, which either concatenate the initial genuine commands with the injected ones or exclude the initial genuine commands executing only the injected ones.

2. Dynamic code injection
it

happens when a the vulnerable we application uses the “eval()” function that is used to execute the given code at the runtime.

what is eval() 
eval()”function is used to interpret a given string as code. The “eval()”function is provided by many interpreted languages such as Java, Javascript, Python, Perl, PHP and Ruby.


3. Blind command injection


Sometimes when an attacker injects the shell code, it executes but it returns no result so in this case he/she uses two technique of blind command injection. Time bases, File bases technique.

1.2. Time based technique or sleep()
an attacker injects a and executes a command but the execution will delay according to the given time period. by measuring the time of its response, attacker will be able to identify that the application is vulnerable to time bases command.

4. File based

How to Prevent OS Command injection?


  • First. Implement input validation. Exit right away when detecting patterns outside the range of the legitimate inputs. 
  • Validating against a whitelist of permitted values that make sure that these malicious characters are not among the whitelisted (& and |).
  • Validating that the input is a number.
  • Validating that the input contains only alphanumeric characters, no other syntax or whitespace.

Cyber Security Design Pattern for Avoiding Command Injection Vulnerability


Cyber Security Design Pattern for Avoiding Command Injection Vulnerability


Two rules in this Cyber Security Design Pattern A:
  1. First. Implement input validation. Exit right away when detecting patterns outside the range of the legitimate inputs.
  2. Second. Replace generic system() or exec() type calls with equivalent of specific API such as mail(), mkdir() where the parameters cannot be interpreted as OS commands.


Regular Expression for validating email 


if(!preg_match("/^[a-zA-Z0-9.]+\@[a-zA-Z0-9.]+$/", $email)) {print "incorrect email format. </body></html>";
exit(0);

  • Preg_match is a function call available on php (a server side script langugae with syntax similar to C)
  • "/^[a-z-A-Z0-9.]+\@[a-zA-Z0-9.]+$/" is the pattern allowed. The email input must have @ in the middle. &, | are not allowed.
  • If the pattern does not match, the program exit right away!!


Reference: https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A1-Injection

 Tool to detect OS command injection      
Commixis:
is capable of detecting, with high success rate, whether a web application is vulnerable to command injection attacks.

Comments

Popular posts from this blog

Solving Computer Forensics Case Using Autopsy

Pentesting - Exploitation Guide Metasploitable 1

The Main Cyber Threats Facing the Aviation Industry