Home > CAPEC List > CAPEC-88: OS Command Injection (Version 2.6)  

CAPEC-88: OS Command Injection

 
OS Command Injection
Definition in a New Window Definition in a New Window
Attack Pattern ID: 88
Abstraction: Standard
Status: Draft
Completeness: Complete
+ Description

Summary

In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.

Attack Execution Flow

Explore
  1. Identify inputs for OS commands:

    The attacker determines user controllable input that gets passed as part of a command to the underlying operating system.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.

    env-Local env-CommProtocol env-Peer2Peer env-ClientServer
    2

    TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, he attempts to guess the actual operating system.

    env-Embedded env-ClientServer env-Peer2Peer env-CommProtocol env-Web
    3

    Induce errors to find informative error messages

    env-All

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    The target software accepts connections via the network.

    env-Web env-CommProtocol env-Peer2Peer env-Embedded env-ClientServer

    Outcomes

    IDTypeOutcome Description
    1Success
    Operating environment (operating system, language, and/or middleware) is correctly identified.
    2Inconclusive
    Multiple candidate operating environments are suggested.

    Security Controls

    IDTypeSecurity Control Description
    1Preventative
    Provide misleading information on TCIP/IP fingerprints (some operating systems can be configured to send signatures that match other operating systems).
    2Preventative
    Provide misleading information at the server level (e.g., Apache, IIS, WebLogic, etc.) to announce a different server software.
    3Detective
    Some fingerprinting techniques can be detected by operating systems or by network IDS systems because they leave the network connection half-open, or they do not belong to a valid, open connection.
  2. Survey the Application:

    The attacker surveys the target application, possibly as a valid and authenticated user

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Spidering web sites for all available links

    env-Web
    2

    Inventory all application inputs

    env-All

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    Attacker develops a list of valid inputs

    env-All

    Outcomes

    IDTypeOutcome Description
    1Success
    The attacker develops a list of likely command delimiters.

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
    2Detective
    Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.
    3Preventative
    Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
    4Detective
    Monitor velocity of feature activations (non-web software). Humans who activate features (click buttons, request actions, invoke APIs, etc.) will do so far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Experiment
  1. Vary inputs, looking for malicious results.:

    Depending on whether the application being exploited is a remote or local one the attacker crafts the appropriate malicious input, containing OS commands, to be passed to the application

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Inject command delimiters using network packet injection tools (netcat, nemesis, etc.)

    env-CommProtocol env-Web env-Peer2Peer env-ClientServer
    2

    Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.)

    env-Web

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    Inventorying in prior step is successful.

    env-All

    Outcomes

    IDTypeOutcome Description
    1Success
    One or more injections that are appropriate to the platform provokes an unexpected response from the software, which can be varied by the attacker based on the input.
Exploit
  1. Execute malicious commands:

    The attacker may steal information, install a back door access mechanism, elevate privileges or compromise the system in some other way.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    The attacker executes a command that stores sensitive information into a location where he can retrieve it later (perhaps using a different command injection).

    env-All
    2

    The attacker executes a command that stores sensitive information into a location where he can retrieve it later (perhaps using a different command injection).

    env-All
    3

    The attacker executes a command that stores sensitive information into a location where he can retrieve it later (perhaps using a different command injection).

    env-All

    Outcomes

    IDTypeOutcome Description
    1Success
    The software performs an action the attacker desires. This might be displaying information, storing a program, executing a command, or some other malicious activity.

    Security Controls

    IDTypeSecurity Control Description
    1Preventative
    Make commonly exploited administrative tools log their execution.
    2Preventative
    Make commonly exploited administrative tools non-executable, except when the system is in specific maintenance periods. (i.e., require administrators to specifically enable certain administrative commands prior to performing system maintenance.)
+ Attack Prerequisites
  • User controllable input used as part of commands to the underlying operating system.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: High

There is high motivation for the attacker to seek out and discover opportunities for this attack due to the power it yields.

+ Methods of Attack
  • Injection
  • API Abuse
+ Examples-Instances

Description

A transaction processing system relies on code written in a number of languages. To access this functionality, the system passes transaction information on the system command line.

An attacker can gain access to the system command line and execute malicious commands by injecting these commands in the transaction data. If successful, the attacker can steal information, install backdoors and perform other nefarious activities that can compromise the system and its data.

Related Vulnerabilities

A vulnerability in Mozilla Firefox 1.x browser allows an attacker to execute arbitrary commands on the UNIX/Linux operating system.

The vulnerability is caused due to the shell script used to launch Firefox parsing shell commands that are enclosed within back-ticks in the URL provided via the command line.

This can be exploited to execute arbitrary shell commands by tricking a user into following a malicious link in an external application which uses Firefox as the default browser (e.g. the mail client Evolution on Red Hat Enterprise Linux 4).

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: High

The attacker needs to have knowledge of not only the application to exploit but also the exact nature of commands that pertain to the target operating system. This may involve, though not always, knowledge of specific assembly commands for the platform.

+ Solutions and Mitigations

Use language APIs rather than relying on passing data to the operating system shell or command line. Doing so ensures that the available protection mechanisms in the language are intact and applicable.

Filter all incoming data to escape or remove characters or strings that can be potentially misinterpreted as operating system or shell commands

All application processes should be run with the minimal privileges required. Also, processes must shed privileges as soon as they no longer require them.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Bypass protection mechanism
Confidentiality
Read application data
+ Injection Vector

User-controllable input used as part of operating system commands

+ Payload

Operating system commands injected by the attacker, intended to escalate privilege or divulge information

+ Activation Zone

Underlying operating system hosting the exploited application.

+ Payload Activation Impact

Description

The injected OS commands are interpreted by the shell, causing them to be executed under the privileges of the process running the exploited application.

+ Purposes
  • Penetration
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ References
[R.88.1] "Secunia Advisory SA16869: Firefox Command Line URL Shell Command Injection". Secunia Advisories. Secunia. September 20, 2005. <http://secunia.com/advisories/16869/>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

Page Last Updated: July 23, 2014