Improper Neutralization of Special Elements used in a Command ('Command Injection')| ID: 77 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Class |
Description
The software constructs all or part of a command using
externally-influenced input from an upstream component, but it does not
neutralize or incorrectly neutralizes special elements that could modify the
intended command when it is sent to a downstream
component.
Extended DescriptionCommand injection vulnerabilities typically occur when:1. Data enters the application from an untrusted source.2. The data is part of a string that is executed as a command by the
application.3. By executing the command, the application gives an attacker a
privilege or capability that the attacker would not otherwise
have.
Likelihood of Exploit: Very High
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
Related Attack Patterns
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| IntegrityConfidentialityAvailability | Execute unauthorized code or
commands | If a malicious user injects a character (such as a semi-colon) that
delimits the end of one command and the beginning of another, it may be
possible to then insert an entirely new and unrelated command that was
not intended to be executed. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Architecture and Design | | If at all possible, use library calls rather than external processes
to recreate the desired functionality | | |
| Implementation | | If possible, ensure that all external commands called from the program
are statically created. | | |
| Implementation | Input Validation | Assume all input is malicious. Use an "accept known good" input
validation strategy, i.e., use a whitelist of acceptable inputs that
strictly conform to specifications. Reject any input that does not
strictly conform to specifications, or transform it into something that
does.When performing input validation, consider all potentially relevant
properties, including length, type of input, the full range of
acceptable values, missing or extra inputs, syntax, consistency across
related fields, and conformance to business rules. As an example of
business rule logic, "boat" may be syntactically valid because it only
contains alphanumeric characters, but it is not valid if the input is
only expected to contain colors such as "red" or "blue."Do not rely exclusively on looking for malicious or malformed inputs
(i.e., do not rely on a blacklist). A blacklist is likely to miss at
least one undesirable input, especially if the code's environment
changes. This can give attackers enough room to bypass the intended
validation. However, blacklists can be useful for detecting potential
attacks or determining which inputs are so malformed that they should be
rejected outright. | | |
| Operation | | Run time: Run time policy enforcement may be used in a white-list
fashion to prevent use of any non-sanctioned commands. | | |
| System Configuration | | Assign permissions to the software system that prevents the user from
accessing/opening privileged files. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-77 ChildOf CWE-896 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following code from a system utility uses the system property
APPHOME to determine the directory in which it is installed and then
executes an initialization script based on a relative path from the
specified directory.
- The following code is a wrapper around the UNIX command cat which
prints the contents of a file to standard out. It is also
injectable:
- The following code is from a web application that allows users
access to an interface through which they can update their password on the
system. Part of the process for updating passwords in certain network
environments is to run a make command in the /var/yp directory, the code for
which is shown below. (Demonstrative Example Id DX-29)
- The following code is from an administrative web application
designed to allow users to kick off a backup of an Oracle database using a
batch-file wrapper around the rman utility and then run a cleanup.bat script
to delete some temporary files. The script rmanDB.bat accepts a single
command line parameter, which specifies what type of backup to perform.
Because access to the database is restricted, the application runs the
backup as a privileged user. (Demonstrative Example Id DX-28)
- The following simple program accepts a filename as a command line
argument and displays the contents of the file back to the user. The program
is installed setuid root because it is intended for use as a learning tool
to allow system administrators in-training to inspect privileged system
files without giving them the ability to modify them or damage the
system. (Demonstrative Example Id DX-30)
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| 7 Pernicious Kingdoms | | Command Injection | |
| CLASP | | Command injection | |
| OWASP Top Ten 2007 | A2 | Injection Flaws | CWE_More_Specific |
| OWASP Top Ten 2004 | A1 | Unvalidated Input | CWE_More_Specific |
| OWASP Top Ten 2004 | A6 | Injection Flaws | CWE_More_Specific |
References:
- G. Hoglund G. McGraw .Exploiting Software: How to Break Code. Addison-Wesley. Published on February 2004.
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 10: Command Injection." Page 171'. Published on 2010.
