An attack of this type exploits a programs' vulnerabilities that allows an
attacker's commands to be concatenated onto a legitimate command with the
intent of targeting other resources such as the file system or database. The
system that uses a filter or a blacklist input validation, as opposed to
whitelist validation is vulnerable to an attacker who predicts delimiters
(or combinations of delimiters) not present in the filter or blacklist. As
with other injection attacks, the attacker uses the command delimiter
payload as an entry point to tunnel through the application and activate
additional attacks through SQL queries, shell commands, network scanning,
and so on.
Attack Execution Flow
Explore
Assess Target Runtime
Environment:
In situations where the runtime environment is not
implicitly known, the attacker makes connections to
the target system and tries to determine the
system's runtime environment. Knowing the
environment is vital to choosing the correct
delimiters.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Port mapping using network connection-based
software (e.g., nmap, nessus, etc.)
Operating environment
(operating system, language, and/or middleware) is
correctly identified.
2
Inconclusive
Multiple candidate operating
environments are suggested.
Security Controls
ID
type
Security Control Description
1
Preventative
Provide misleading
information on TCIP/IP fingerprints (some
operating systems can be configured to send
signatures that match other operating
systems).
2
Preventative
Provide misleading
information at the server level (e.g., Apache,
IIS, WebLogic, etc.) to announce a different
server software.
3
Detective
Some fingerprinting
techniques can be detected by operating systems or
by network IDS systems because they leave the
network connection half-open, or they do not
belong to a valid, open
connection.
Survey the
Application:
The attacker surveys the target application,
possibly as a valid and authenticated user
Attack Step Techniques
ID
Attack Step Technique Description
Environments
-1
Spidering web sites for all available
links
env-Web
-1
Inventory all application inputs
env-All
Indicators
ID
type
Indicator Description
Environments
-1
Positive
Attacker develops a list of valid
inputs
env-Web
env-ClientServer
Outcomes
ID
type
Outcome Description
0
Success
The attacker develops a list of
likely command delimiters.
Security Controls
ID
type
Security Control Description
0
Detective
Monitor velocity of
page fetching in web logs. Humans who view a page
and select a link from it will click far slower
and far less regularly than tools. Tools make
requests very quickly and the requests are
typically spaced apart regularly (e.g. 0.8 seconds
between them).
0
Detective
Create links on some
pages that are visually hidden from web browsers.
Using IFRAMES, images, or other HTML techniques,
the links can be hidden from web browsing humans,
but visible to spiders and programs. A request for
the page, then, becomes a good predictor of an
automated tool probing the
application.
0
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be
automated.
0
Detective
Monitor velocity of
feature activations (non-web software). Humans who
activate features (click buttons, request actions,
invoke APIs, etc.) will do so far slower and far
less regularly than tools. Tools make requests
very quickly and the requests are typically spaced
apart regularly (e.g. 0.8 seconds between
them).
Experiment
Attempt delimiters in
inputs:
The attacker systematically attempts variations of
delimiters on known inputs, observing the
application's response each time.
Inject command delimiters using web test
frameworks (proxies, TamperData, custom programs,
etc.)
env-Web
3
Enter command delimiters directly in input
fields.
env-Embedded env-Local
env-ClientServer
Indicators
ID
type
Indicator Description
Environments
1
Positive
Attack step 2 is successful.
env-All
Outcomes
ID
type
Outcome Description
1
Success
One or more command delimiters
for the platform provokes an unexpected response
from the software, which can be varied by the
attacker based on the input.
Exploit
Use malicious command
delimiters:
The attacker uses combinations of payload and
carefully placed command delimiters to attack the
software.
Outcomes
ID
type
Outcome Description
1
Success
The software performs as
expected by the attacker.
Security Controls
ID
type
Security Control Description
1
Detective
Attack Prerequisites
Software's input validation or filtering must not detect and block
presence of additional malicious command.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
Examples-Instances
Description
By appending special characters, such as a semicolon or other commands
that are executed by the target process, the attacker is able to execute
a wide variety of malicious commands in the target process space,
utilizing the target's inherited permissions, against any resource the
host has access to. The possibilities are vast including injection
attacks against RDBMS (SQL Injection), directory servers (LDAP
Injection), XML documents (XPath and XQuery Injection), and command line
shells. In many injection attacks, the results are converted back to
strings and displayed to the client process such as a web browser
without tripping any security alarms, so the network firewall does not
log any out of the ordinary behavior.
LDAP servers house critical identity assets such as user, profile,
password, and group information that is used to authenticate and
authorize users. An attacker that can query the directory at will and
execute custom commands against the directory server is literally
working with the keys to the kingdom in many enterprises. When user,
organizational units, and other directory objects are queried by
building the query string directly from user input with no validation,
or other conversion, then the attacker has the ability to use any LDAP
commands to query, filter, list, and crawl against the LDAP server
directly in the same manner as SQL injection gives the ability to the
attacker to run SQL commands on the database.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
The attacker has to identify injection vector, identify the specific
commands, and optionally collect the output, i.e. from an interactive
session.
Resources Required
Ability to communicate synchronously or asynchronously with server.
Optionally, ability to capture output directly through synchronous communication
or other method such as FTP.
Solutions and Mitigations
Design: Perform whitelist validation against a positive specification for
command length, type, and parameters.
Design: Limit program privileges, so if commands circumvent program input
validation or filter routines then commands do not running under a
privileged account
Implementation: Perform input validation for all remote content.
Implementation: Use type conversions such as JDBC prepared
statements.
Attack Motivation-Consequences
Run Arbitrary Code
Information Leakage
Injection Vector
Malicious input delivered through appending delimiters to standard input
Payload
Command(s) appended to valid parameters to enable attacker to execute commands
on host
Activation Zone
Client machine and client network
Payload Activation Impact
Enables attacker to execute server side code with any commands that the
program owner has privileges to.
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
