Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')ID: 78 | Date: (C)2012-05-14 (M)2022-10-10 | Type: weakness | Status: DRAFT | Abstraction Type: Base |
Description The software constructs all or part of an OS command using
externally-influenced input from an upstream component, but it does not
neutralize or incorrectly neutralizes special elements that could modify the
intended OS command when it is sent to a downstream
component. Extended DescriptionThis could allow attackers to execute unexpected, dangerous commands
directly on the operating system. This weakness can lead to a vulnerability
in environments in which the attacker does not have direct access to the
operating system, such as in web applications. Alternately, if the weakness
occurs in a privileged program, it could allow the attacker to specify
commands that normally would not be accessible, or to call alternate
commands with privileges that the attacker does not have. The problem is
exacerbated if the compromised process does not follow the principle of
least privilege, because the attacker-controlled commands may run with
special system privileges that increases the amount of damage.There are at least two subtypes of OS command injection:The application intends to execute a single, fixed program that is
under its own control. It intends to use externally-supplied inputs as
arguments to that program. For example, the program might use
system("nslookup [HOSTNAME]") to run nslookup and allow the user to
supply a HOSTNAME, which is used as an argument. Attackers cannot
prevent nslookup from executing. However, if the program does not remove
command separators from the HOSTNAME argument, attackers could place the
separators into the arguments, which allows them to execute their own
program after nslookup has finished executing.The application accepts an input that it uses to fully select which
program to run, as well as which commands to use. The application simply
redirects this entire command to the operating system. For example, the
program might use "exec([COMMAND])" to execute the [COMMAND] that was
supplied by the user. If the COMMAND is under attacker control, then the
attacker can execute arbitrary commands or programs. If the command is
being executed using functions like exec() and CreateProcess(), the
attacker might not be able to combine multiple commands together in the
same line.From a weakness standpoint, these variants represent distinct programmer
errors. In the first variant, the programmer clearly intends that input from
untrusted parties will be part of the arguments in the command to be
executed. In the second variant, the programmer does not intend for the
command to be accessible to any untrusted party, but the programmer probably
has not accounted for alternate ways in which malicious attackers can
provide input. Likelihood of Exploit: High Applicable PlatformsLanguage Class: All Time Of Introduction - Architecture and Design
- Implementation
Related Attack Patterns Common Consequences Scope | Technical Impact | Notes |
---|
ConfidentialityIntegrityAvailabilityNon-Repudiation | Execute unauthorized code or
commandsDoS: crash / exit /
restartRead files or
directoriesModify files or
directoriesRead application
dataModify application
dataHide activities | Attackers could execute unauthorized commands, which could then be
used to disable the software, or read and modify data for which the
attacker does not have permissions to access directly. Since the
targeted application is directly executing the commands instead of the
attacker, any malicious activities may appear to come from the
application or the application's owner. |
Detection Methods Name | Description | Effectiveness | Notes |
---|
Automated Static Analysis | This weakness can often be detected using automated static analysis
tools. Many modern tools use data flow analysis or constraint-based
techniques to minimize the number of false positives.Automated static analysis might not be able to recognize when proper
input validation is being performed, leading to false positives - i.e.,
warnings that do not have any security consequences or require any code
changes.Automated static analysis might not be able to detect the usage of
custom API functions or third-party libraries that indirectly invoke OS
commands, leading to false negatives - especially if the API/library
code is not available for analysis. | | | Automated Dynamic Analysis | This weakness can be detected using dynamic tools and techniques that
interact with the software using large test suites with many diverse
inputs, such as fuzz testing (fuzzing), robustness testing, and fault
injection. The software's operation may slow down, but it should not
become unstable, crash, or generate incorrect results. | Moderate | | Manual Static Analysis | Since this weakness does not typically appear frequently within a
single software package, manual white box techniques may be able to
provide sufficient code coverage and reduction of false positives if all
potentially-vulnerable operations can be assessed within limited time
constraints. | High | |
Potential Mitigations Phase | Strategy | Description | Effectiveness | Notes |
---|
Architecture and Design | | If at all possible, use library calls rather than external processes
to recreate the desired functionality. | | | Architecture and DesignOperation | Sandbox or Jail | Run the code in a "jail" or similar sandbox environment that enforces
strict boundaries between the process and the operating system. This may
effectively restrict which files can be accessed in a particular
directory or which commands can be executed by the software.OS-level examples include the Unix chroot jail, AppArmor, and SELinux.
In general, managed code may provide some protection. For example,
java.io.FilePermission in the Java SecurityManager allows the software
to specify restrictions on file operations.This may not be a feasible solution, and it only limits the impact to
the operating system; the rest of the application may still be subject
to compromise.Be careful to avoid CWE-243 and other weaknesses related to jails. | Limited | The effectiveness of this mitigation depends on the prevention
capabilities of the specific sandbox or jail being used and might only
help to reduce the scope of an attack, such as restricting the attacker
to certain system calls or limiting the portion of the file system that
can be accessed. | Architecture and Design | Identify and Reduce Attack Surface | For any data that will be used to generate a command to be executed,
keep as much of that data out of external control as possible. For
example, in web applications, this may require storing the data locally
in the session's state instead of sending it out to the client in a
hidden form field. | | | Architecture and Design | | For any security checks that are performed on the client side, ensure
that these checks are duplicated on the server side, in order to avoid
CWE-602. Attackers can bypass the client-side checks by modifying values
after the checks have been performed, or by changing the client to
remove the client-side checks entirely. Then, these modified values
would be submitted to the server. | | | Architecture and Design | Libraries or Frameworks | Use a vetted library or framework that does not allow this weakness to
occur or provides constructs that make this weakness easier to
avoid.For example, consider using the ESAPI Encoding control [R.78.8] or a
similar tool, library, or framework. These will help the programmer
encode outputs in a manner less prone to error. | | | Implementation | Output Encoding | While it is risky to use dynamically-generated query strings, code, or
commands that mix control and data together, sometimes it may be
unavoidable. Properly quote arguments and escape any special characters
within those arguments. The most conservative approach is to escape or
filter all characters that do not pass an extremely strict whitelist
(such as everything that is not alphanumeric or white space). If some
special characters are still needed, such as white space, wrap each
argument in quotes after the escaping/filtering step. Be careful of
argument injection (CWE-88). | | | Implementation | | If the program to be executed allows arguments to be specified within
an input file or from standard input, then consider using that mode to
pass arguments instead of the command line. | | | Architecture and Design | Parameterization | If available, use structured mechanisms that automatically enforce the
separation between data and code. These mechanisms may be able to
provide the relevant quoting, encoding, and validation automatically,
instead of relying on the developer to provide this capability at every
point where output is generated.Some languages offer multiple functions that can be used to invoke
commands. Where possible, identify any function that invokes a command
shell using a single string, and replace it with a function that
requires individual arguments. These functions typically perform
appropriate quoting and filtering of arguments. For example, in C, the
system() function accepts a string that contains the entire command to
be executed, whereas execl(), execve(), and others require an array of
strings, one for each argument. In Windows, CreateProcess() only accepts
one command at a time. In Perl, if system() is provided with an array of
arguments, then it will quote each of the arguments. | | | Implementation | Input Validation | Assume all input is malicious. Use an "accept known good" input
validation strategy, i.e., use a whitelist of acceptable inputs that
strictly conform to specifications. Reject any input that does not
strictly conform to specifications, or transform it into something that
does.When performing input validation, consider all potentially relevant
properties, including length, type of input, the full range of
acceptable values, missing or extra inputs, syntax, consistency across
related fields, and conformance to business rules. As an example of
business rule logic, "boat" may be syntactically valid because it only
contains alphanumeric characters, but it is not valid if the input is
only expected to contain colors such as "red" or "blue."Do not rely exclusively on looking for malicious or malformed inputs
(i.e., do not rely on a blacklist). A blacklist is likely to miss at
least one undesirable input, especially if the code's environment
changes. This can give attackers enough room to bypass the intended
validation. However, blacklists can be useful for detecting potential
attacks or determining which inputs are so malformed that they should be
rejected outright.When constructing OS command strings, use stringent whitelists that
limit the character set based on the expected value of the parameter in
the request. This will indirectly limit the scope of an attack, but this
technique is less important than proper output encoding and
escaping.Note that proper output encoding, escaping, and quoting is the most
effective solution for preventing OS command injection, although input
validation may provide some defense-in-depth. This is because it
effectively limits what will appear in output. Input validation will not
always prevent OS command injection, especially if you are required to
support free-form text fields that could contain arbitrary characters.
For example, when invoking a mail program, you might need to allow the
subject field to contain otherwise-dangerous inputs like ";" and ">"
characters, which would need to be escaped or otherwise handled. In this
case, stripping the character might reduce the risk of OS command
injection, but it would produce incorrect behavior because the subject
field would not be recorded as the user intended. This might seem to be
a minor inconvenience, but it could be more important when the program
relies on well-structured subject lines in order to pass messages to
other components.Even if you make a mistake in your validation (such as forgetting one
out of 100 input fields), appropriate encoding is still likely to
protect you from injection-based attacks. As long as it is not done in
isolation, input validation is still a useful technique, since it may
significantly reduce your attack surface, allow you to detect some
attacks, and provide other security benefits that proper encoding does
not address. | | | Architecture and Design | Enforcement by Conversion | When the set of acceptable objects, such as filenames or URLs, is
limited or known, create a mapping from a set of fixed input values
(such as numeric IDs) to the actual filenames or URLs, and reject all
other inputs. | | | Operation | Compilation or Build HardeningEnvironment Hardening | Run the code in an environment that performs automatic taint
propagation and prevents any command execution that uses tainted
variables, such as Perl's "-T" switch. This will force the program to
perform validation steps that remove the taint, although you must be
careful to correctly validate your inputs so that you do not
accidentally mark dangerous inputs as untainted (see CWE-183 and
CWE-184). | | | Implementation | | Ensure that error messages only contain minimal details that are
useful to the intended audience, and nobody else. The messages need to
strike the balance between being too cryptic and not being cryptic
enough. They should not necessarily reveal the methods that were used to
determine the error. Such detailed information can be used to refine the
original attack to increase the chances of success.If errors must be tracked in some detail, capture them in log messages
- but consider what could occur if the log messages can be viewed by
attackers. Avoid recording highly sensitive information such as
passwords in any form. Avoid inconsistent messaging that might
accidentally tip off an attacker about internal state, such as whether a
username is valid or not.In the context of OS Command Injection, error information passed back
to the user might reveal whether an OS command is being executed and
possibly which command is being used. | | | Operation | Sandbox or Jail | Use runtime policy enforcement to create a whitelist of allowable
commands, then prevent use of any command that does not appear in the
whitelist. Technologies such as AppArmor are available to do
this. | | | Operation | Firewall | Use an application firewall that can detect attacks against this
weakness. It can be beneficial in cases in which the code cannot be
fixed (because it is controlled by a third party), as an emergency
prevention measure while more comprehensive software assurance measures
are applied, or to provide defense in depth. | Moderate | An application firewall might not cover all possible input vectors. In
addition, attack techniques might be available to bypass the protection
mechanism, such as using malformed inputs that can still be processed by
the component that receives those inputs. Depending on functionality, an
application firewall might inadvertently reject or modify legitimate
requests. Finally, some manual effort may be required for
customization. | Architecture and DesignOperation | Environment Hardening | Run your code using the lowest privileges that are required to
accomplish the necessary tasks [R.78.9]. If possible, create isolated
accounts with limited privileges that are only used for a single task.
That way, a successful attack will not immediately give the attacker
access to the rest of the software or its environment. For example,
database applications rarely need to run as the database administrator,
especially in day-to-day operations. | | | OperationImplementation | Environment Hardening | When using PHP, configure the application so that it does not use
register_globals. During implementation, develop the application so that
it does not rely on this feature, but be wary of implementing a
register_globals emulation that is subject to weaknesses such as CWE-95,
CWE-621, and similar issues. | | |
Relationships Related CWE | Type | View | Chain |
---|
CWE-78 ChildOf CWE-896 | Category | CWE-888 | |
Demonstrative Examples (Details) - In the example below, a method is used to transform geographic
coordinates from latitude and longitude format to UTM format. The method
gets the input coordinates from a user through a HTTP request and executes a
program local to the application server that performs the transformation.
The method passes the latitude and longitude coordinates as a command-line
option to the external program and will perform some processing to retrieve
the results of the transformation and return the resulting UTM coordinates.
- The example below reads the name of a shell script to execute from
the system properties. It is subject to the second variant of OS command
injection.
- The following code is from a web application that allows users
access to an interface through which they can update their password on the
system. Part of the process for updating passwords in certain network
environments is to run a make command in the /var/yp directory, the code for
which is shown below. (Demonstrative Example Id DX-29)
- The following code is from an administrative web application
designed to allow users to kick off a backup of an Oracle database using a
batch-file wrapper around the rman utility and then run a cleanup.bat script
to delete some temporary files. The script rmanDB.bat accepts a single
command line parameter, which specifies what type of backup to perform.
Because access to the database is restricted, the application runs the
backup as a privileged user. (Demonstrative Example Id DX-28)
- This example code intends to take the name of a user and list the
contents of that user's home directory. It is subject to the first variant
of OS command injection.
- This example is a web application that intends to perform a DNS
lookup of a user-supplied domain name. It is subject to the first variant of
OS command injection.
Observed Examples - CVE-1999-0067 : Canonical example. CGI program does not neutralize "\|" metacharacter when invoking a phonebook program.
- CVE-2001-1246 : Language interpreter's mail function accepts another argument that is concatenated to a string used in a dangerous popen() call. Since there is no neutralization of this argument, both OS Command Injection (CWE-78) and Argument Injection (CWE-88) are possible.
- CVE-2002-0061 : Web server allows command execution using "\|" (pipe) character.
- CVE-2003-0041 : FTP client does not filter "\|" from filenames returned by the server, allowing for OS command injection.
- CVE-2008-2575 : Shell metacharacters in a filename in a ZIP archive
- CVE-2002-1898 : Shell metacharacters in a telnet:// link are not properly handled when the launching application processes the link.
- CVE-2008-4304 : OS command injection through environment variable.
- CVE-2008-4796 : OS command injection through https:// URLs
- CVE-2007-3572 : Chain: incomplete blacklist for OS command injection
- CVE-2012-1988 : Product allows remote users to execute arbitrary commands by creating a file whose pathname contains shell metacharacters.
For more examples, refer to CVE relations in the bottom box. White Box DefinitionsA weakness where the code path has:1. start statement that accepts input2. end statement that executes an operating system command
wherea. the input is used as a part of the operating system command
andb. the operating system command is undesirableWhere "undesirable" is defined through the following scenarios:1. not validated2. incorrectly validated Black Box Definitions None Taxynomy Mappings Taxynomy | Id | Name | Fit |
---|
PLOVER | | OS Command Injection | | OWASP Top Ten 2007 | A3 | Malicious File Execution | CWE_More_Specific | OWASP Top Ten 2004 | A6 | Injection Flaws | CWE_More_Specific | CERT C Secure Coding | ENV03-C | Sanitize the environment when invoking external
programs | | CERT C Secure Coding | ENV04-C | Do not call system() if you do not need a command
processor | | CERT C Secure Coding | STR02-C | Sanitize data passed to complex subsystems | | WASC | 31 | OS Commanding | | CERT Java Secure Coding | IDS07-J | Do not pass untrusted, unsanitized data to the Runtime.exec()
method | | CERT C++ Secure Coding | STR02-CPP | Sanitize data passed to complex subsystems | | CERT C++ Secure Coding | ENV03-CPP | Sanitize the environment when invoking external
programs | | CERT C++ Secure Coding | ENV04-CPP | Do not call system() if you do not need a command
processor | |
References: - G. Hoglund G. McGraw .Exploiting Software: How to Break Code. Addison-Wesley. Published on 2004-02.
- Pascal Meunier .Meta-Character Vulnerabilities. Published on 2008-02-20.
- Robert Auger .OS Commanding. Published on 2009-06.
- Lincoln Stein John Stewart .The World Wide Web Security FAQ. Section:'chapter: "CGI Scripts"'. Published on 2002-02-04.
- Jordan Dimov, Cigital .Security Issues in Perl Scripts.
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 10: Command Injection." Page 171'. Published on 2010.
- Frank Kim .Top 25 Series - Rank 9 - OS Command Injection. SANS Software Security Institute. 2010-02-24.
- OWASP .OWASP Enterprise Security API (ESAPI) Project.
- Sean Barnum Michael Gegick .Least Privilege. Published on 2005-09-14.
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 8, "Shell Metacharacters", Page
425.'. Published on 2006.
|