Home > CAPEC List > CAPEC-15: Command Delimiters (Version 2.11)  

CAPEC-15: Command Delimiters

 
Command Delimiters
Definition in a New Window Definition in a New Window
Attack Pattern ID: 15
Abstraction: Standard
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.

+ Attack Steps
Explore
  1. Assess Target Runtime Environment: In situations where the runtime environment is not implicitly known, the attacker makes connections to the target system and tries to determine the system's runtime environment. Knowing the environment is vital to choosing the correct delimiters.

    Port mapping using network connection-based software (e.g., nmap, nessus, etc.)

    Port mapping by exploring the operating system (netstat, sockstat, etc.)

    TCP/IP Fingerprinting

    Induce errors to find informative error messages

  2. Survey the Application: The attacker surveys the target application, possibly as a valid and authenticated user

    Spidering web sites for all available links

    Inventory all application inputs

Experiment
  1. Attempt delimiters in inputs: The attacker systematically attempts variations of delimiters on known inputs, observing the application's response each time.

    Inject command delimiters using network packet injection tools (netcat, nemesis, etc.)

    Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.)

    Enter command delimiters directly in input fields.

Exploit
  1. Use malicious command delimiters: The attacker uses combinations of payload and carefully placed command delimiters to attack the software.

+ Attack Prerequisites
  • Software's input validation or filtering must not detect and block presence of additional malicious command.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Injection
+ Examples-Instances

Description

By appending special characters, such as a semicolon or other commands that are executed by the target process, the attacker is able to execute a wide variety of malicious commands in the target process space, utilizing the target's inherited permissions, against any resource the host has access to. The possibilities are vast including injection attacks against RDBMS (SQL Injection), directory servers (LDAP Injection), XML documents (XPath and XQuery Injection), and command line shells. In many injection attacks, the results are converted back to strings and displayed to the client process such as a web browser without tripping any security alarms, so the network firewall does not log any out of the ordinary behavior.

LDAP servers house critical identity assets such as user, profile, password, and group information that is used to authenticate and authorize users. An attacker that can query the directory at will and execute custom commands against the directory server is literally working with the keys to the kingdom in many enterprises. When user, organizational units, and other directory objects are queried by building the query string directly from user input with no validation, or other conversion, then the attacker has the ability to use any LDAP commands to query, filter, list, and crawl against the LDAP server directly in the same manner as SQL injection gives the ability to the attacker to run SQL commands on the database.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

The attacker has to identify injection vector, identify the specific commands, and optionally collect the output, i.e. from an interactive session.

+ Resources Required

Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.

+ Solutions and Mitigations

Design: Perform whitelist validation against a positive specification for command length, type, and parameters.

Design: Limit program privileges, so if commands circumvent program input validation or filter routines then commands do not running under a privileged account

Implementation: Perform input validation for all remote content.

Implementation: Use type conversions such as JDBC prepared statements.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Read application data
+ Injection Vector

Malicious input delivered through appending delimiters to standard input

+ Payload

Command(s) appended to valid parameters to enable attacker to execute commands on host

+ Activation Zone

Client machine and client network

+ Payload Activation Impact

Enables attacker to execute server side code with any commands that the program owner has privileges to.

+ Purposes
  • Penetration
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ References
[R.15.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2017