OS Command Injection |
| Attack Pattern ID: 88 (Standard Attack Pattern Completeness: Complete) | Typical Severity: High | Status: Draft |
DescriptionSummary
An attacker can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.
Attack Execution Flow
Identify inputs for OS commands:
The attacker determines user controllable input that gets passed as part of a command to the underlying operating system.
Attack Step Techniques
ID Attack Step Technique Description Environments 1 Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
env-Local env-CommProtocol env-Peer2Peer env-ClientServer2 TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, he attempts to guess the actual operating system.
env-Embedded env-ClientServer env-Peer2Peer env-CommProtocol env-Web3 Induce errors to find informative error messages
env-AllIndicators
ID type Indicator Description Environments 1 Positive The target software accepts connections via the network.
env-Web env-CommProtocol env-Peer2Peer env-Embedded env-ClientServerOutcomes
ID type Outcome Description 1 Success Operating environment (operating system, language, and/or middleware) is correctly identified.2 Inconclusive Multiple candidate operating environments are suggested.Security Controls
ID type Security Control Description 1 Preventative Provide misleading information on TCIP/IP fingerprints (some operating systems can be configured to send signatures that match other operating systems).2 Preventative Provide misleading information at the server level (e.g., Apache, IIS, WebLogic, etc.) to announce a different server software.3 Detective Some fingerprinting techniques can be detected by operating systems or by network IDS systems because they leave the network connection half-open, or they do not belong to a valid, open connection.Survey the Application:
The attacker surveys the target application, possibly as a valid and authenticated user
Attack Step Techniques
ID Attack Step Technique Description Environments 1 Spidering web sites for all available links
env-Web2 Inventory all application inputs
env-AllIndicators
ID type Indicator Description Environments 1 Positive Attacker develops a list of valid inputs
env-AllOutcomes
ID type Outcome Description 1 Success The attacker develops a list of likely command delimiters.Security Controls
ID type Security Control Description 1 Detective Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).2 Detective Create links on some pages that are visually hidden from web browsers. Using IFRAMES, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.3 Preventative Actively monitor the application and either deny or redirect requests from origins that appear to be automated.4 Detective Monitor velocity of feature activations (non-web software). Humans who activate features (click buttons, request actions, invoke APIs, etc.) will do so far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Vary inputs, looking for malicious results.:
Depending on whether the application being exploited is a remote or local one the attacker crafts the appropriate malicious input, containing OS commands, to be passed to the application
Attack Step Techniques
ID Attack Step Technique Description Environments 1 SecurityDatabase\Alert\Inject command delimiters using network packet injection tools (netcat, nemesis, etc.)
env-CommProtocol env-Web env-Peer2Peer env-ClientServer2 SecurityDatabase\Alert\Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.)
env-WebIndicators
ID type Indicator Description Environments 1 Positive Inventorying in prior step is successful.
env-AllOutcomes
ID type Outcome Description 1 Success One or more injections that are appropriate to the platform provokes an unexpected response from the software, which can be varied by the attacker based on the input.
Execute malicious commands:
The attacker may steal information, install a back door access mechanism, elevate privileges or compromise the system in some other way.
Attack Step Techniques
ID Attack Step Technique Description Environments 1 The attacker executes a command that stores sensitive information into a location where he can retrieve it later (perhaps using a different command injection).
env-All2 The attacker executes a command that stores sensitive information into a location where he can retrieve it later (perhaps using a different command injection).
env-All3 The attacker executes a command that stores sensitive information into a location where he can retrieve it later (perhaps using a different command injection).
env-AllOutcomes
ID type Outcome Description 1 Success The software performs an action the attacker desires. This might be displaying information, storing a program, executing a command, or some other malicious activity.Security Controls
ID type Security Control Description 1 Preventative Make commonly exploited administrative tools log their execution.2 Preventative Make commonly exploited administrative tools non-executable, except when the system is in specific maintenance periods. (i.e., require administrators to specifically enable certain administrative commands prior to performing system maintenance.)
Attack PrerequisitesUser controllable input used as part of commands to the underlying operating system.
Typical Likelihood of ExploitLikelihood: High
There is high motivation for the attacker to seek out and discover opportunities for this attack due to the power it yields.
Methods of Attack- Injection
- API Abuse
Examples-InstancesDescription
A transaction processing system relies on code written in a number of languages. To access this functionality, the system passes transaction information on the system command line.
An attacker can gain access to the system command line and execute malicious commands by injecting these commands in the transaction data. If successful, the attacker can steal information, install backdoors and perform other nefarious activities that can compromise the system and its data.
Related Vulnerabilities
A vulnerability in Mozilla Firefox 1.x browser allows an attacker to execute arbitrary commands on the UNIX/Linux operating system.
The vulnerability is caused due to the shell script used to launch Firefox parsing shell commands that are enclosed within backticks in the URL provided via the command line.
This can be exploited to execute arbitrary shell commands by tricking a user into following a malicious link in an external application which uses Firefox as the default browser (e.g. the mail client Evolution on Red Hat Enterprise Linux 4).
Attacker Skills or Knowledge RequiredSkill or Knowledge Level: High
The attacker needs to have knowledge of not only the application to exploit but also the exact nature of commands that pertain to the target operating system. This may involve, though not always, knowledge of specific assembly commands for the platform.
Solutions and MitigationsUse language APIs rather than relying on passing data to the oeprating system shell or command line. Doing so ensures that the available protection mechanisms in the language are intact and applicable.
Filter all incoming data to escape or remove characters or strings that can be potentially misinterpreted as operating system or shell commands
All application processes should be run with the minimal privileges required. Also, processes must shed privileges as soon as they no longer require them.
Attack Motivation-Consequences- Run Arbitrary Code
- Privilege Escalation
- Information Leakage
Injection VectorUser-controllable input used as part of operating system commands
PayloadOperating system commands injected by the attacker, intended to escalate privilege or divulge information
Activation ZoneUnderlying operating system hosting the exploited application.
Payload Activation ImpactThe injected OS commands are interpreted by the shell, causing them to be executed under the privileges of the process running the exploited application.
Related Weaknesses| CWE-ID | Weakness Name | Weakness Relationship Type |
|---|---|---|
| 78 | Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') | Targeted |
| 88 | Argument Injection or Modification | Secondary |
| 20 | Improper Input Validation | Secondary |
| 697 | Insufficient Comparison | Targeted |
| 713 | OWASP Top Ten 2007 Category A2 - Injection Flaws | Targeted |
Related Attack Patterns| Nature | Type | ID | Name | Description | View(s) this relationship pertains to |
|---|---|---|---|---|---|
| ChildOf |  Attack Pattern | 15 | Command Delimiters | Mechanism of Attack (primary)1000 | |
| ChildOf |  Category | 364 | WASC Threat Classification 2.0 - WASC-31 - OS Commanding | WASC Threat Classification 2.0333 |
Related Security PrinciplesLeast Privilege
Reluctance To Trust
Related GuidelinesNever Use Unvalidated Input as Part of a Directive to any Internal Component
Purposes- Penetration
- Exploitation
CIA Impact Technical Context| Architectural Paradigms | All |
|---|---|
| Frameworks | All |
| Platforms | All |
| Languages | All |
ReferencesSecunia Advisory SA16869: Firefox Command Line URL Shell Command Injection
Content History| Submissions | ||||
|---|---|---|---|---|
| Submitter | Date | Comments | ||
| Chiradeep B. Chhaya | 2007-03-16 | First Draft | ||
| Modifications | |||||
|---|---|---|---|---|---|
| Modifier | Organization | Date | Comments | ||
| Sean Barnum | Cigital, Inc | 2007-04-16 | Review and revise | ||
