OS Command Injection : Simple yet effective

What is OS Command Injection

OS Command Injection is a vulnerability which describes improper neutralization of special elements. It can result in modification of the intended OS command that is sent to a downstream component.
So, OS command injection weaknesses can expose an environment to an attacker even if he does not have direct access to the operating system. Also, if the application is running with higher privilege, it may allow an attacker to specify commands that may not be available otherwise.

Running OS commands is very useful functionality but it can equally trigger a vulnerability if not used correctly.

Types of OS Command Injection

There are two sub-types of command Injection.

  • An application executes a fixed program that is under its control and accepts external input as arguments to that program. e.g. the application may run system(“nslookup [HOSTNAME]”) to run nslookup and allow the user to supply a HOSTNAME, which is actually an argument.
    Interestingly, if the program does not remove separators from the externally supplied HOSTNAME argument, the attacker could place separators inside the argument and execute his own command.
  • The application uses input to select which program to run and what commands to use. The application sanitizes the input and then simply redirects the entire command to the operating system.

Lets see some examples

Suppose there is an application on which you can learn C programming by typing the code. We will try first by writing a simple Hello World ! program.

What if we try to write a code to execute some of the system commands.

Wow ! It actually executed our custom payload. now we can try executing some more commands.

May be one more. 🙂

You have seen how a functionality got converted into a critical vulnerability. We can see the example on some other application as well.

Suppose there is one application which has an inbuilt ping functionality.

As we can see above ping command is the functionality of the application. What if we can use a separator and run some more commands.

Similar to our previous example we are able to run our command probable because there is no check implemented.

Products affected

Those applications which use external input to send commands to the operating system can be vulnerable to this weakness.

Mitigation

To defend systems from this weakness,we should use library calls when possible, to create the desired functionality without external input. When external input is inescapable, developers need to use secure input and output handling.

References:

  1. CWE-78: Improper Neutralization of Special Elements used
  2. Comm Injection[OWASP]

We will discuss more about certain vulnerabilities in our next posts, please drop your comments and feedback so that we can improve. Also, if there is any specific vulnerability which you want us to discuss please let us know.

Till then keep hunting.

4 comments

  • Nice article … precise and neat.

  • Hey Shekhar,
    Nice article. Do you have any example for the second type or scenario of OS command injection?

    • HI Shruthi. Thanks.

      Unfortunately not. I am looking out for the VMs where I can demonstrate the vulnerability better.
      Keep reading and commenting.

  • Hey Shekhar,

    The way you explained is simply awesome … its more helpful to understand a guy like me who is not from IT Security background…..