| Attack Pattern ID | Pattern Abstraction: Standard 88 |
| Typical Severity | High |
| Description | Summary An attacker can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system. Attack Execution Flow Explore Identify inputs for OS commands: The attacker determines user controllable input that gets passed as part of a command to the underlying operating system. |
Attack Step Techniques |
|---|
| Description | Environments |
|---|
| Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports. | env-Local env-CommProtocol env-Peer2Peer env-ClientServer | | TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, he attempts to guess the actual operating system. | env-Embedded env-ClientServer env-Peer2Peer env-CommProtocol env-Web | | Induce errors to find informative error messages | env-All |
|
Indicator of Susceptibility
|
|---|
| ID | Type | Description | Environments |
|---|
| c88s1i1 | Positive | The target software accepts connections via the network. | env-Web env-CommProtocol env-Peer2Peer env-Embedded env-ClientServer |
|
Outcomes |
|---|
| ID | Type | Description |
|---|
| c88s1o1 | Success | Operating environment (operating system, language, and/or middleware) is correctly identified. | | c88s1o2 | Inconclusive | Multiple candidate operating environments are suggested. |
|
Security Controls |
|---|
| ID | Type | Description |
|---|
| c88s1s1 | Preventative | Provide misleading information on TCIP/IP fingerprints (some operating systems can be configured to send signatures that match other operating systems). | | c88s1s2 | Preventative | Provide misleading information at the server level (e.g., Apache, IIS, WebLogic, etc.) to announce a different server software. | | c88s1s3 | Detective | Some fingerprinting techniques can be detected by operating systems or by network IDS systems because they leave the network connection half-open, or they do not belong to a valid, open connection. |
Survey the Application: The attacker surveys the target application, possibly as a valid and authenticated user |
Attack Step Techniques |
|---|
| Description | Environments |
|---|
| Spidering web sites for all available links | env-Web | | Inventory all application inputs | env-All |
|
Indicator of Susceptibility
|
|---|
| ID | Type | Description | Environments |
|---|
| c88s2i1 | Positive | Attacker develops a list of valid inputs | env-All |
|
Outcome |
|---|
| ID | Type | Description |
|---|
| c88s2o1 | Success | The attacker develops a list of likely command delimiters. |
|
Security Controls |
|---|
| ID | Type | Description |
|---|
| c88s2s1 | Detective | Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). | | c88s2s2 | Detective | Create links on some pages that are visually hidden from web browsers. Using IFRAMES, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application. | | c88s2s3 | Preventative | Actively monitor the application and either deny or redirect requests from origins that appear to be automated. | | c88s2s4 | Detective | Monitor velocity of feature activations (non-web software). Humans who activate features (click buttons, request actions, invoke APIs, etc.) will do so far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). |
Experiment Vary inputs, looking for malicious results.: Depending on whether the application being exploited is a remote or local one the attacker crafts the appropriate malicious input, containing OS commands, to be passed to the application |
Attack Step Techniques |
|---|
| Description | Environments |
|---|
| Inject command delimiters using network packet injection tools (netcat, nemesis, etc.) | env-CommProtocol env-Web env-Peer2Peer env-ClientServer | | Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.) | env-Web |
|
Indicator of Susceptibility
|
|---|
| ID | Type | Description | Environments |
|---|
| c88s3i1 | Positive | Inventorying in prior step is successful. | env-All |
|
Outcome |
|---|
| ID | Type | Description |
|---|
| c88s3o1 | Success | One or more injections that are appropriate to the platform provokes an unexpected response from the software, which can be varied by the attacker based on the input. |
Exploit Execute malicious commands: The attacker may steal information, install a back door access mechanism, elevate privileges or compromise the system in some other way. |
Attack Step Techniques |
|---|
| Description | Environments |
|---|
| The attacker executes a command that stores sensitive information into a location where he can retrieve it later (perhaps using a different command injection). | env-All | | The attacker executes a command that stores sensitive information into a location where he can retrieve it later (perhaps using a different command injection). | env-All | | The attacker executes a command that stores sensitive information into a location where he can retrieve it later (perhaps using a different command injection). | env-All |
|
Outcome |
|---|
| ID | Type | Description |
|---|
| c88s4o1 | Success | The software performs an action the attacker desires. This might be displaying information, storing a program, executing a command, or some other malicious activity. |
|
Security Controls |
|---|
| ID | Type | Description |
|---|
| c88s4s1 | Preventative | Make commonly exploited administrative tools log their execution. | | c88s4s2 | Preventative | Make commonly exploited administrative tools non-executable, except when the system is in specific maintenance periods. (i.e., require administrators to specifically enable certain administrative commands prior to performing system maintenance.) |
|
| Attack Prerequisites | User controllable input used as part of commands to the underlying operating system. |
| Typical Likelihood of Exploit |
High
There is high motivation for the attacker to seek out and discover opportunities for this attack due to the power it yields.
|
| Methods of Attack | |
| Examples-Instances | Description
A transaction processing system relies on code written in a number of languages. To access this functionality, the system passes transaction information on the system command line.
An attacker can gain access to the system command line and execute malicious commands by injecting these commands in the transaction data. If successful, the attacker can steal information, install backdoors and perform other nefarious activities that can compromise the system and its data.
Related Vulnerability A vulnerability in Mozilla Firefox 1.x browser allows an attacker to execute arbitrary commands on the UNIX/Linux operating system.
The vulnerability is caused due to the shell script used to launch Firefox parsing shell commands that are enclosed within backticks in the URL provided via the command line.
This can be exploited to execute arbitrary shell commands by tricking a user into following a malicious link in an external application which uses Firefox as the default browser (e.g. the mail client Evolution on Red Hat Enterprise Linux 4).
|
| Attacker Skill or Knowledge Required | High: The attacker needs to have knowledge of not only the application to exploit but also the exact nature of commands that pertain to the target operating system. This may involve, though not always, knowledge of specific assembly commands for the platform. |
| Resources Required | |
| Solutions and Mitigations | Use language APIs rather than relying on passing data to the oeprating system shell or command line. Doing so ensures that the available protection mechanisms in the language are intact and applicable. Filter all incoming data to escape or remove characters or strings that can be potentially misinterpreted as operating system or shell commands All application processes should be run with the minimal privileges required. Also, processes must shed privileges as soon as they no longer require them. |
| Attack Motivation-Consequences | - Run Arbitrary Code
- Privilege Escalation
- Information Leakage
|
| Context Description |
Most modern applications are written using the J2EE or .NET managed platforms. These platforms provide fairly robust mechanism to protect against code inadvertently accessing parts of the underlying system that it should not.
However, two chief factors mitigate against the eradication of OS command injection. The first one relates to the use of native code and libraries. The only way for any managed platform to access this functionality is by calling into the underlying operating system..
The second factor relates to the prevalence of unmanaged code, such as PERL code, used to create application. PERL, for example, is the language of choice when programming using CGI. PERL is unmanaged and allows easy mechanisms for the programmer to call the underlying operating system commands.
This problem is exacerbated by the fact that such calls into the oeprating system are made with far higher privileges than required, thus leading to additional damage.
Since input validation is an art not yet perfected, opportunities abound for attackers to abuse applications and execute commands on the underlying operating system.
|
| Injection Vector | User-controllable input used as part of operating system commands |
| Payload | Operating system commands injected by the attacker, intended to escalate privilege or divulge information |
| Activation Zone | Underlying operating system hosting the exploited application. |
| Payload Activation Impact | The injected OS commands are interpreted by the shell, causing them to be executed under the privileges of the process running the exploited application. |
| Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 78 | Failure to Sanitize Data into an OS Command (aka 'OS Command Injection') | Targeted | | 88 | Argument Injection or Modification | Secondary | | 20 | Insufficient Input Validation | Secondary |
|
| Related Security Principles | - Least Privilege
- Reluctance To Trust
|
| Related Guidelines | - Never Use Unvalidated Input as Part of a Directive to any Internal Component
|
| Purpose | Penetration Exploitation |
| CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | High | High |
|
| Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
|
| References | Secunia Advisory SA16869: Firefox Command Line URL Shell Command Injection |
| Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| Chiradeep B. Chhaya | | 2007-03-16 | First Draft |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Sean Barnum | Cigital, Inc | 2007-04-16 | Review and revise |
|
