Command Injection Vulnerability and Mitigation

 

Command injection is basically injection of operating system commands to be executed through a web-app. The purpose of the command injection attack is to inject and execute commands specified by the attacker in the vulnerable application. In situation like this, the application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it as any authorized system user. However, commands are executed with the same privileges and environment as the web application has. Command injection attacks are possible due to lack of correct input data validation, which can be manipulated by the attacker (forms, cookies, HTTP headers etc.).

There is a variant of the Code Injection attack. In code injection, the attacker adds his own code to the existing code. Injected code is executed with the same privileges and environment as the application has.

An OS command injection attack occurs when an attacker attempts to execute system level commands through a vulnerable application. Applications are considered vulnerable to the OS command injection attack if they utilize user input in a system level command.

Example:

// C program to demonstrate Command Injection attack

// The purpose of the program to print contents of a

// file provided as command line argument.

#include <stdio.h>

#include <unistd.h>

  

int main(int argc, char **argv)

{

    char cat[] = "cat ";

    char *command;

    size_t commandLength;

  

    commandLength = strlen(cat) + strlen(argv[1]) + 1;

    command = (char *) malloc(commandLength);

    strncpy(command, cat, commandLength);

    strncat(command, argv[1], (commandLength - strlen(cat)) );

  

    system(command);

    return (0);

}

Used normally, the output is simply the contents of the file requested:



$ ./a.out exploit.txt

my name is akash

However, if we add a semicolon and another command to the end of this line, the command is executed by catWrapper with no complaint:

$ ./a.out "exploit.txt; ls"

my name is akash

exploit.txt               doubFree.c              nullpointer.c

unstosig.c              www*                    a.out*

format.c                strlen.c                useFree*

catWrapper*             misnull.c               strlength.c             useFree.c

commandinjection.c      nodefault.c             trunc.c                 writeWhatWhere.c

The following PHP code snippet is vulnerable to a command injection attack(web app):

<?php

print("Please specify the name of the file to delete");

print("<p>");

$file=$_GET['filename'];

system("rm $file");

?>

The following request and response is an example of a successful attack:

Request

http://mywesite.com/delete.php?filename=bob.txt;id

Response

Please specify the name of the file to delete

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Mitigation