Command Injection Vulnerability and Mitigation

Command injection is basically injection of operating system commands to be executed through a web-app. The purpose of the command injection attack is to inject and execute commands specified by the attacker in the vulnerable application. In situation like this, the application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it as an authorized system user. However, commands are executed with the same privileges and environment as the web application has. Command injection attacks are possible due to lack of correct input data validation, which can be manipulated by the attacker (forms, cookies, HTTP headers etc.). There is a variant of the Code Injection attack. In code injection, the attacker adds his own code to the existing code. Injected code is executed with the same privileges and environment as the application has. An OS command injection attack occurs when an attacker attempts to execute system level commands through a vulnerable application. Applications are considered vulnerable to the OS command injection attack if they utilize user input in a system level command. Example: C

// C program to demonstrate Command Injection attack
// The purpose of the program to print contents of a
// file provided as command line argument.
#include <stdio.h>
#include <unistd.h>

int main(int argc, char **argv)
{
    char cat[] = "cat ";
    char *command;
    size_t commandLength;

    commandLength = strlen(cat) + strlen(argv[1]) + 1;
    command = (char *) malloc(commandLength);
    strncpy(command, cat, commandLength);
    strncat(command, argv[1], (commandLength - strlen(cat)) );

    system(command);
    return (0);
}

Used normally, the output is simply the contents of the file requested:

$ ./a.out exploit.txt
my name is akash

However, if we add a semicolon and another command to the end of this line, the command is executed by catWrapper with no complaint:

$ ./a.out "exploit.txt; ls"
my name is akash
exploit.txt               doubFree.c              nullpointer.c
unstosig.c              www*                    a.out*
format.c                strlen.c                useFree*
catWrapper*             misnull.c               strlength.c             useFree.c
commandinjection.c      nodefault.c             trunc.c                 writeWhatWhere.c

The following PHP code snippet is vulnerable to a command injection attack(web app): PHP

<?php
print("Please specify the name of the file to delete");
print("<p>");
$file=$_GET['filename'];
system("rm $file");
?>

The following request and response is an example of a successful attack:

Request
http://mywesite.com/delete.php?filename=bob.txt;id

Response
Please specify the name of the file to delete
uid=33(www-data) gid=33(www-data) groups=33(www-data) 

Mitigation

• Ideally, a developer should use existing API for their language. For example (Java): Rather than use Runtime.exec() to issue a 'mail' command, use the available Java API located at javax.mail.*
• If no such available API exists, the developer should scrub all input for malicious characters. Implementing a positive security model would be most efficient. Typically, it is much easier to define the legal characters than the illegal characters.

References https://en.wikipedia.org/wiki/Code_injection http://stackoverflow.com/questions/44799/preventing-command-line-injection-attacks