Home > CAPEC List > CAPEC-88: OS Command Injection (Version 2.11)  

CAPEC-88: OS Command Injection

OS Command Injection
Definition in a New Window Definition in a New Window
Attack Pattern ID: 88
Abstraction: Standard
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.

+ Attack Steps
  1. Identify inputs for OS commands: The attacker determines user controllable input that gets passed as part of a command to the underlying operating system.

    Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.

    TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, he attempts to guess the actual operating system.

    Induce errors to find informative error messages

  2. Survey the Application: The attacker surveys the target application, possibly as a valid and authenticated user

    Spidering web sites for all available links

    Inventory all application inputs

  1. Vary inputs, looking for malicious results.: Depending on whether the application being exploited is a remote or local one the attacker crafts the appropriate malicious input, containing OS commands, to be passed to the application

    Inject command delimiters using network packet injection tools (netcat, nemesis, etc.)

    Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.)

  1. Execute malicious commands: The attacker may steal information, install a back door access mechanism, elevate privileges or compromise the system in some other way.

    The attacker executes a command that stores sensitive information into a location where he can retrieve it later (perhaps using a different command injection).

    The attacker executes a command that stores sensitive information into a location where he can retrieve it later (perhaps using a different command injection).

    The attacker executes a command that stores sensitive information into a location where he can retrieve it later (perhaps using a different command injection).

+ Attack Prerequisites
  • User controllable input used as part of commands to the underlying operating system.

+ Typical Severity


+ Typical Likelihood of Exploit

Likelihood: High

There is high motivation for the attacker to seek out and discover opportunities for this attack due to the power it yields.

+ Methods of Attack
  • Injection
  • API Abuse
+ Examples-Instances


A transaction processing system relies on code written in a number of languages. To access this functionality, the system passes transaction information on the system command line.

An attacker can gain access to the system command line and execute malicious commands by injecting these commands in the transaction data. If successful, the attacker can steal information, install backdoors and perform other nefarious activities that can compromise the system and its data.

Related Vulnerabilities

A vulnerability in Mozilla Firefox 1.x browser allows an attacker to execute arbitrary commands on the UNIX/Linux operating system.

The vulnerability is caused due to the shell script used to launch Firefox parsing shell commands that are enclosed within back-ticks in the URL provided via the command line.

This can be exploited to execute arbitrary shell commands by tricking a user into following a malicious link in an external application which uses Firefox as the default browser (e.g. the mail client Evolution on Red Hat Enterprise Linux 4).

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: High

The attacker needs to have knowledge of not only the application to exploit but also the exact nature of commands that pertain to the target operating system. This may involve, though not always, knowledge of specific assembly commands for the platform.

+ Solutions and Mitigations

Use language APIs rather than relying on passing data to the operating system shell or command line. Doing so ensures that the available protection mechanisms in the language are intact and applicable.

Filter all incoming data to escape or remove characters or strings that can be potentially misinterpreted as operating system or shell commands

All application processes should be run with the minimal privileges required. Also, processes must shed privileges as soon as they no longer require them.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Execute unauthorized code or commands
Run Arbitrary Code
Gain privileges / assume identity
Bypass protection mechanism
Read application data
+ Injection Vector

User-controllable input used as part of operating system commands

+ Payload

Operating system commands injected by the attacker, intended to escalate privilege or divulge information

+ Activation Zone

Underlying operating system hosting the exploited application.

+ Payload Activation Impact

The injected OS commands are interpreted by the shell, causing them to be executed under the privileges of the process running the exploited application.

+ Purposes
  • Penetration
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
+ References
[R.88.1] "Secunia Advisory SA16869: Firefox Command Line URL Shell Command Injection". Secunia Advisories. Secunia. September 20, 2005. <http://secunia.com/advisories/16869/>.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017