OS Command Injection

1/13

This material was developed with funding from the National Science Foundation under Grant # DUE 1601612

Next

Restart

Back

2/13

When we go to a movie theater to see a movie, we drive to the cinema and we request the movie we want to see by purchasing a ticket to that particular movie. We then exchange the ticket we have purchased for access to the movie theater in which the movie we have chosen will play from the projector. When the projector starts the movie is delivered to the screen and you are able to watch it

When we open our computer to visit a website, we type the website address into the address bar of our web browser to launch a request for the website we have choosen. The request for the webpage is sent through the internet to the web server and the web server replies to us with the entire code for all of the content of the webpage. These are downloaded to your computer and displayed through your web browser and you are able to see the webpage. Many websites and web applications include opportunities for users to insert user supplied data such as cookies, forms, and HTTP headers.

3/13

Close 

5/13

Attackers can exploit vulnerable web applications by creating scripts that execute commands on a web application server operating system. Attackers that have created these scripts then need to deliver the script to web application user’s browsers. To do this they embed or hide the script in user cookies, form data, HTML headers, or the web application code itself which is downloaded automatically and executed through your browser when you visit the web application. These type of attacks are called operating system (OS) command injection attacks.

Operating System (OS) Command Injection Attacks attack in which the goal is execution of commands on the webserver operating system via a vulnerable web application or website. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell.

But what if all of a sudden the movie changed without you doing anything because someone else is controlling the movie projector through your ticket purchase?

4/13

Attackers can develop scripts that run these commands as if they are coming from the user’s browser. The script creates and sends the same commands to the target website in the same manner as if the user had submitted them themselves. As such the web application can detect that the commands came from the user but cannot detect that the request was created and sent by a malicious script running in the user’s browser.

8/13

http://www.

“;”

“&”

“&&”

Attackers wishing to use OS command injection attacks must begin by identifying a critical vulnerability in a web application. Vulnerable pages are pages that appear to execute system commands like ping, nslookup, tracert, or CGI scripts. To determine if a web application is vulnerable, an attacker can test it by inserting commands into the user supplied data inputs to see how the application responds. Usually this begins by trying various symbols that are interpreted by operating system command line as a separator between commands. Other commands symbols that are used by the operating system shells are useful to try as well.

9/13

submit

Next, once an attacker discovers a vulnerable web application, they are able to insert malicious code into the OS and gain any functionality the underlying application offers. The attackers can unleash the attack even without direct access to the OS. To do this, the attacker alters dynamically generated content on a web page using HTML code through an input mechanism such as a form field or cookies.

10/13

Finally, once the code is inserted into the affected web page, browsers interpret the code. This allows the attackers to execute specific commands across user's computers and allows the attacker to carry out any action that the application itself can carry out, including reading or modifying all of its data and performing privileged actions.

11/13

12/13

Vulnerable web application code allows unsafe user supplied data from forms, cookies, HTTP headers, etc. into the command line of the operating system. For example vulnerable web application code may allow the user to input additional operating system commands. In this situation the website IP address is pinged but the operating command line separator “&&” is used to execute a second operating system command requesting directory information on the web server.

Pinging 127.0.0.1 with 32 bytes of data: Reply from 127.0.0.1: bytes=32 time<1ns TTL=128 Reply from 127.0.0.1: bytes=32 time<1ns TTL=128 Reply from 127.0.0.1: bytes=32 time<1ns TTL=128 Reply from 127.0.0.1: bytes=32 time<1ns TTL=128 Ping statistics for 127.0.0.1:     Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:     Minimum = 0ns, Maximum = 0ns, Average = 0ns Volume in drive C has no label. Volume Serial Number is 9021-8008 Directory of C:\xanpp\htdocs\dvwa\vulnerabilities\exec 12/222016   01:33 AM         12/22/2016  ‘  01:33AM               12/22/2016  ''  01:33AM                                  help                      12/22/2016    01:33AM              1,830 index.php

192.168.0.102

127.0.0.1 && dir

Enter an IP address:

1

Arguments a value that is passed between programs, subroutines or functions. Arguments are independent items, or variables, that contain data or codes.

Escape values added to OS commands

2

So how do we prevent a website from being vulnerable to OS command injection when building websites or web applications? Click each item below for more information.

Separate data and commands and perform input validation

13/13

The primary defense is to avoid calling OS commands directly. Built-in library functions are a very good alternative to OS Commands, and they cannot be manipulated to perform tasks other than those it is intended to do.  For example use “mkdir()” instead of system(“mkdir /dir_name”).

If it is considered unavoidable the call to a system command incorporated with user-supplied, use structured mechanisms that automatically enforce the separation between data and command and perform input validation. When it comes to the commands used, these must be validated against a whitelist of allowed commands. Regarding arguments used for these commands, they should be validated using “whitelist” input validation and whitelist of good characters allowed and the maximum length of the string. For example, ensure that characters like & |  ; $ > < ` \ ! and white-spaces are not part of the expression.

Prevent calling OS commands directly

3

A secondary defense is to avoid values that can be added to OS commands in each type of OS. For examples, escapeshellarg() or escapeshellcmd() in PHP.

pwn is a hacker slang term derived from the verb own, meaning to appropriate or to conquer.

7/13

Multiple commands can be run by using various symbols that are interpreted by operating system command line as a separator between commands. There are many of these but some examples are “;”, “&”, “&&”, “|”, and “||”. The most efficient way to run multiple commands however is to automate them via scripting. When it comes to operating system (OS) command injection attacks, commands are embedded in a script which execute through the users browser and run on and attack the web server hosting the website or web application. The intent of these attacks is to steal information from, delete information from, compromise, or pwn the webserver.

Operating system commands via the command line interface; which is a means of interacting with a computer where the user issues commands to the program. Commands can be used to determine operating system type and version, access directories, create new directories, view the contents of the file, delete a file deleting directories, copy directories, change file permissions, and do many other things.

6/13

Commands are instructions to a computer program to perform a specific task. Most commonly a command is either a directive to some kind of command-line interface.