Command Injection Vulnerability and Mitigation

Command injection is basically injection of operating system commands to be executed through a web-app. The purpose of the command injection attack is to inject and execute commands specified by the attacker in the vulnerable application. In situation like this, the application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it as any authorized system user. However, commands are executed with the same privileges and environment as the web application has. Command injection attacks are possible due to lack of correct input data validation, which can be manipulated by the attacker (forms, cookies, HTTP headers etc.).

There is a variant of the Code Injection attack. In code injection, the attacker adds his own code to the existing code. Injected code is executed with the same privileges and environment as the application has.

An OS command injection attack occurs when an attacker attempts to execute system level commands through a vulnerable application. Applications are considered vulnerable to the OS command injection attack if they utilize user input in a system level command.

Example:

filter_none

edit
close

play_arrow

link
brightness_4
code

// C program to demonstrate Command Injection attack
// The purpose of the program to print contents of a
// file provided as command line argument.
#include <stdio.h>
#include <unistd.h>
  
int main(int argc, char **argv)
{
    char cat[] = "cat ";
    char *command;
    size_t commandLength;
  
    commandLength = strlen(cat) + strlen(argv[1]) + 1;
    command = (char *) malloc(commandLength);
    strncpy(command, cat, commandLength);
    strncat(command, argv[1], (commandLength - strlen(cat)) );
  
    system(command);
    return (0);
}

chevron_right


Used normally, the output is simply the contents of the file requested:

$ ./a.out exploit.txt
my name is akash

However, if we add a semicolon and another command to the end of this line, the command is executed by catWrapper with no complaint:

$ ./a.out "exploit.txt; ls"
my name is akash
exploit.txt               doubFree.c              nullpointer.c
unstosig.c              www*                    a.out*
format.c                strlen.c                useFree*
catWrapper*             misnull.c               strlength.c             useFree.c
commandinjection.c      nodefault.c             trunc.c                 writeWhatWhere.c

The following PHP code snippet is vulnerable to a command injection attack(web app):

filter_none

edit
close

play_arrow

link
brightness_4
code

<?php
print("Please specify the name of the file to delete");
print("<p>");
$file=$_GET['filename'];
system("rm $file");
?>

chevron_right


The following request and response is an example of a successful attack:

Request
http://mywesite.com/delete.php?filename=bob.txt;id
Response
Please specify the name of the file to delete
uid=33(www-data) gid=33(www-data) groups=33(www-data) 

Mitigation

  • Ideally, a developer should use existing API for their language. For example (Java): Rather than use Runtime.exec() to issue a ‘mail’ command, use the available Java API located at javax.mail.*
  • If no such available API exists, the developer should scrub all input for malicious characters. Implementing a positive security model would be most efficient. Typically, it is much easier to define the legal characters than the illegal characters.

References
https://en.wikipedia.org/wiki/Code_injection
http://stackoverflow.com/questions/44799/preventing-command-line-injection-attacks

This article is contributed by Akash Sharan. If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please write comments if you find anything incorrect, or you want to share more information about the topic discussed above.



My Personal Notes arrow_drop_up