Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') |
Weakness ID: 78 (Weakness Base) | Status: Draft |
Description Summary
Extended Description
This could allow attackers to execute unexpected, dangerous commands directly on the operating system. This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications. Alternately, if the weakness occurs in a privileged program, it could allow the attacker to specify commands that normally would not be accessible, or to call alternate commands with privileges that the attacker does not have. The problem is exacerbated if the compromised process fails to follow the principle of least privilege, because the attacker-controlled commands may run with special system privileges that increases the amount of damage.
There are at least two subtypes of OS command injection:
1) The application intends to execute a single, fixed program that is under its own control. It intends to use externally-supplied inputs as arguments to that program. For example, the program might use system("nslookup [HOSTNAME]") to run nslookup and allow the user to supply a HOSTNAME, which is used as an argument. Attackers cannot prevent nslookup from executing. However, if the program does not remove command separators from the HOSTNAME argument, attackers could place the separators into the arguments, which allows them to execute their own program after nslookup has finished executing.
2) The application accepts an input that it uses to fully select which program to run, as well as which commands to use. The application simply redirects this entire command to the operating system. For example, the program might use "exec([COMMAND])" to execute the [COMMAND] that was supplied by the user. If the COMMAND is under attacker control, then the attacker can execute arbitrary commands or programs. If the command is being executed using functions like exec() and CreateProcess(), the attacker might not be able to combine multiple commands together in the same line.
From a weakness standpoint, these variants represent distinct programmer errors. In the first variant, the programmer clearly intends that input from untrusted parties will be part of the arguments in the command to be executed. In the second variant, the programmer does not intend for the command to be accessible to any untrusted party, but the programmer probably has not accounted for alternate ways in which malicious attackers can provide input.
The "OS command injection" phrase carries different meanings to different people. For some, it refers to any type of attack that can allow the attacker to execute OS commands of his or her choosing. This usage could include untrusted search path weaknesses (CWE-426) that cause the application to find and execute an attacker-controlled program. For others, it only refers to the first variant, in which the attacker injects command separators into arguments for an application-controlled program that is being invoked. Further complicating the issue is the case when argument injection (CWE-88) allows alternate command-line switches or options to be inserted into the command line, such as an "-exec" switch whose purpose may be to execute the subsequent argument as a command (this -exec switch exists in the UNIX "find" command, for example). In this latter case, however, CWE-88 could be regarded as the primary weakness in a chain with CWE-78. |
Scope | Effect |
---|---|
Confidentiality Integrity Availability Non-Repudiation | Attackers could execute unauthorized commands, which could then be used to disable the software, or read and modify data for which the attacker does not have permissions to access directly. Since the targeted application is directly executing the commands instead of the attacker, any malicious activities may appear to come from the application or the application's owner. |
Automated Static Analysis This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke OS commands, leading to false negatives - especially if the API/library code is not available for analysis. |
Manual Static Analysis Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints. Effectiveness: High |
Example 1
This example is a web application that intends to perform a DNS lookup of a user-supplied domain name. It is subject to the first variant of OS command injection.
Suppose an attacker provides a domain name like this:
The "%3B" sequence decodes to the ";" character, and the %20 decodes to a space. The open() statement would then process a string like this:
As a result, the attacker executes the "/bin/ls -l" command and gets a list of all the files in the program's working directory. The input could be replaced with much more dangerous commands, such as installing a malicious program on the server.
Example 2
The example below reads the name of a shell script to execute from the system properties. It is subject to the second variant of OS command injection.
If an attacker has control over this property, then he or she could modify the property to point to a dangerous program.
Reference | Description |
---|---|
CVE-1999-0067 | Canonical example. CGI program does not sanitize "|" metacharacter when invoking a phonebook program. |
CVE-2001-1246 | Language interpreter's mail function accepts another argument that is concatenated to a string used in a dangerous popen() call. Since there is no sanitization against this argument, both OS Command Injection (CWE-78) and Argument Injection (CWE-88) are possible. |
CVE-2002-0061 | Web server allows command execution using "|" (pipe) character. |
CVE-2003-0041 | FTP client does not filter "|" from filenames returned by the server, allowing for OS command injection. |
CVE-2008-2575 | Shell metacharacters in a filename in a ZIP archive |
CVE-2002-1898 | Shell metacharacters in a telnet:// link are not properly handled when the launching application processes the link. |
CVE-2008-4304 | OS command injection through environment variable. |
CVE-2008-4796 | OS command injection through https:// URLs |
CVE-2007-3572 | Chain: incomplete blacklist for OS command injection |
Phase: Architecture and Design If at all possible, use library calls rather than external processes to recreate the desired functionality. |
Phase: Architecture and Design Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which commands can be executed by your software. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails. |
Phase: Architecture and Design For any data that will be used to generate a command to be executed, keep as much of that data out of external control as possible. For example, in web applications, this may require storing the command locally in the session's state instead of sending it out to the client in a hidden form field. |
Phase: Architecture and Design Use languages, libraries, or frameworks that make it easier to generate properly encoded output. Examples include the ESAPI Encoding control. |
Phase: Implementation Properly quote arguments and escape any special characters within those arguments. If some special characters are still needed, wrap the arguments in quotes, and escape all other characters that do not pass a strict whitelist. Be careful of argument injection (CWE-88). |
Phase: Implementation If the program to be executed allows arguments to be specified within an input file or from standard input, then consider using that mode to pass arguments instead of the command line. |
Phase: Implementation If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Some languages offer multiple functions that can be used to invoke commands. Where possible, identify any function that invokes a command shell using a single string, and replace it with a function that requires individual arguments. These functions typically perform appropriate quoting and filtering of arguments. For example, in C, the system() function accepts a string that contains the entire command to be executed, whereas execl(), execve(), and others require an array of strings, one for each argument. In Windows, CreateProcess() only accepts one command at a time. In Perl, if system() is provided with an array of arguments, then it will quote each of the arguments. |
Phase: Implementation Strategy: Input Validation Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue." When constructing OS command strings, use stringent whitelists that limit the character set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack, but this technique is less important than proper output encoding and escaping. Note that proper output encoding, escaping, and quoting is the most effective solution for preventing OS command injection, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent OS command injection, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, when invoking a mail program, you might need to allow the subject field to contain otherwise-dangerous inputs like ";" and ">" characters, which would need to be escaped or otherwise handled. In this case, stripping the character might reduce the risk of OS command injection, but it would produce incorrect behavior because the subject field would not be recorded as the user intended. This might seem to be a minor inconvenience, but it could be more important when the program relies on well-structured subject lines in order to pass messages to other components. Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address. |
Phases: Testing; Implementation Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible. |
Phase: Testing Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. |
Phase: Operation Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force you to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184). |
Phase: Operation Use runtime policy enforcement to create a whitelist of allowable commands, then prevent use of any command that does not appear in the whitelist. Technologies such as AppArmor are available to do this. |
Phase: System Configuration Assign permissions to the software system that prevent the user from accessing/opening privileged files. Run the application with the lowest privileges possible (CWE-250). |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Class | 77 | Improper Sanitization of Special Elements used in a Command ('Command Injection') | Development Concepts (primary)699 Research Concepts (primary)1000 |
ChildOf | Category | 634 | Weaknesses that Affect System Processes | Resource-specific Weaknesses (primary)631 |
ChildOf | Category | 714 | OWASP Top Ten 2007 Category A3 - Malicious File Execution | Weaknesses in OWASP Top Ten (2007) (primary)629 |
ChildOf | Category | 727 | OWASP Top Ten 2004 Category A6 - Injection Flaws | Weaknesses in OWASP Top Ten (2004) (primary)711 |
ChildOf | Category | 741 | CERT C Secure Coding Section 07 - Characters and Strings (STR) | Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734 |
ChildOf | Category | 744 | CERT C Secure Coding Section 10 - Environment (ENV) | Weaknesses Addressed by the CERT C Secure Coding Standard734 |
ChildOf | Category | 751 | 2009 Top 25 - Insecure Interaction Between Components | Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)750 |
ChildOf | Category | 801 | 2010 Top 25 - Insecure Interaction Between Components | Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)800 |
CanAlsoBe | Weakness Base | 88 | Argument Injection or Modification | Research Concepts1000 |
MemberOf | View | 630 | Weaknesses Examined by SAMATE | Weaknesses Examined by SAMATE (primary)630 |
MemberOf | View | 635 | Weaknesses Used by NVD | Weaknesses Used by NVD (primary)635 |
CanFollow | Weakness Base | 184 | Incomplete Blacklist | Research Concepts1000 |
More investigation is needed into the distinction between the OS command injection variants, including the role with argument injection (CWE-88). Equivalent distinctions may exist in other injection-related problems such as SQL injection. |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
PLOVER | OS Command Injection | ||
OWASP Top Ten 2007 | A3 | CWE More Specific | Malicious File Execution |
OWASP Top Ten 2004 | A6 | CWE More Specific | Injection Flaws |
CERT C Secure Coding | ENV03-C | Sanitize the environment when invoking external programs | |
CERT C Secure Coding | ENV04-C | Do not call system() if you do not need a command processor | |
CERT C Secure Coding | STR02-C | Sanitize data passed to complex subsystems | |
WASC | 31 | OS Commanding |
A weakness where the code path has: 1. start statement that accepts input 2. end statement that executes an operating system command where a. the input is used as a part of the operating system command and b. the operating system command is undesirable Where "undesirable" is defined through the following scenarios: 1. not validated 2. incorrectly validated |
G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02. |
Pascal Meunier. "Meta-Character Vulnerabilities". 2008-02-20. <http://www.cs.purdue.edu/homes/cs390s/slides/week09.pdf>. |
Robert Auger. "OS Commanding". 2009-06. <http://projects.webappsec.org/OS-Commanding>. |
Lincoln Stein and John Stewart. "The World Wide Web Security FAQ". chapter: "CGI Scripts". 2002-02-04. <http://www.w3.org/Security/Faq/wwwsf4.html>. |
Jordan Dimov, Cigital. "Security Issues in Perl Scripts". <http://www.cgisecurity.com/lib/sips.html>. |
[REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 10: Command Injection." Page 171. McGraw-Hill. 2010. |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Sean Eidemiller | Cigital | External | |
added/updated demonstrative examples | ||||
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-08-01 | KDM Analytics | External | ||
added/updated white box definitions | ||||
2008-08-15 | Veracode | External | ||
Suggested OWASP Top Ten 2004 mapping | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, Other Notes, Taxonomy Mappings | ||||
2008-10-14 | CWE Content Team | MITRE | Internal | |
updated Description | ||||
2008-11-24 | CWE Content Team | MITRE | Internal | |
updated Observed Examples, Relationships, Taxonomy Mappings | ||||
2009-01-12 | CWE Content Team | MITRE | Internal | |
updated Common Consequences, Demonstrative Examples, Description, Likelihood of Exploit, Name, Observed Examples, Other Notes, Potential Mitigations, Relationships, Research Gaps, Terminology Notes | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Potential Mitigations | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Name, Related Attack Patterns | ||||
2009-07-17 | KDM Analytics | External | ||
Improved the White Box Definition | ||||
2009-07-27 | CWE Content Team | MITRE | Internal | |
updated Description, Name, White Box Definitions | ||||
2009-10-29 | CWE Content Team | MITRE | Internal | |
updated Observed Examples, References | ||||
2009-12-28 | CWE Content Team | MITRE | Internal | |
updated Detection Factors | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-04-11 | OS Command Injection | |||
2009-01-12 | Failure to Sanitize Data into an OS Command (aka 'OS Command Injection') | |||
2009-05-27 | Failure to Preserve OS Command Structure (aka 'OS Command Injection') | |||
2009-07-27 | Failure to Preserve OS Command Structure ('OS Command Injection') | |||