An attacker can leverage OS command injection in an application to elevate
privileges, execute arbitrary commands and compromise the underlying
operating system.
Attack Execution Flow
Explore
Identify inputs for OS
commands:
The attacker determines user controllable input
that gets passed as part of a command to the
underlying operating system.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Port mapping. Identify ports that the system
is listening on, and attempt to identify inputs
and protocol types on those ports.
TCP/IP Fingerprinting. The attacker uses
various software to make connections or partial
connections and observe idiosyncratic responses
from the operating system. Using those responses,
he attempts to guess the actual operating
system.
Operating environment
(operating system, language, and/or middleware) is
correctly identified.
2
Inconclusive
Multiple candidate operating
environments are suggested.
Security Controls
ID
type
Security Control Description
1
Preventative
Provide misleading
information on TCIP/IP fingerprints (some
operating systems can be configured to send
signatures that match other operating
systems).
2
Preventative
Provide misleading
information at the server level (e.g., Apache,
IIS, WebLogic, etc.) to announce a different
server software.
3
Detective
Some fingerprinting
techniques can be detected by operating systems or
by network IDS systems because they leave the
network connection half-open, or they do not
belong to a valid, open
connection.
Survey the
Application:
The attacker surveys the target application,
possibly as a valid and authenticated user
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Spidering web sites for all available
links
env-Web
2
Inventory all application inputs
env-All
Indicators
ID
type
Indicator Description
Environments
1
Positive
Attacker develops a list of valid
inputs
env-All
Outcomes
ID
type
Outcome Description
1
Success
The attacker develops a list of
likely command delimiters.
Security Controls
ID
type
Security Control Description
1
Detective
Monitor velocity of
page fetching in web logs. Humans who view a page
and select a link from it will click far slower
and far less regularly than tools. Tools make
requests very quickly and the requests are
typically spaced apart regularly (e.g. 0.8 seconds
between them).
2
Detective
Create links on some
pages that are visually hidden from web browsers.
Using IFRAMES, images, or other HTML techniques,
the links can be hidden from web browsing humans,
but visible to spiders and programs. A request for
the page, then, becomes a good predictor of an
automated tool probing the
application.
3
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be
automated.
4
Detective
Monitor velocity of
feature activations (non-web software). Humans who
activate features (click buttons, request actions,
invoke APIs, etc.) will do so far slower and far
less regularly than tools. Tools make requests
very quickly and the requests are typically spaced
apart regularly (e.g. 0.8 seconds between
them).
Experiment
Vary inputs, looking for malicious
results.:
Depending on whether the application being
exploited is a remote or local one the attacker
crafts the appropriate malicious input, containing
OS commands, to be passed to the application
Inject command delimiters using web test
frameworks (proxies, TamperData, custom programs,
etc.)
env-Web
Indicators
ID
type
Indicator Description
Environments
1
Positive
Inventorying in prior step is
successful.
env-All
Outcomes
ID
type
Outcome Description
1
Success
One or more injections that are
appropriate to the platform provokes an unexpected
response from the software, which can be varied by
the attacker based on the
input.
Exploit
Execute malicious
commands:
The attacker may steal information, install a back
door access mechanism, elevate privileges or
compromise the system in some other way.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
The attacker executes a command that stores
sensitive information into a location where he can
retrieve it later (perhaps using a different
command injection).
env-All
2
The attacker executes a command that stores
sensitive information into a location where he can
retrieve it later (perhaps using a different
command injection).
env-All
3
The attacker executes a command that stores
sensitive information into a location where he can
retrieve it later (perhaps using a different
command injection).
env-All
Outcomes
ID
type
Outcome Description
1
Success
The software performs an action
the attacker desires. This might be displaying
information, storing a program, executing a
command, or some other malicious
activity.
Security Controls
ID
type
Security Control Description
1
Preventative
Make commonly
exploited administrative tools log their
execution.
2
Preventative
Make commonly
exploited administrative tools non-executable,
except when the system is in specific maintenance
periods. (i.e., require administrators to
specifically enable certain administrative
commands prior to performing system
maintenance.)
Attack Prerequisites
User controllable input used as part of commands to the underlying
operating system.
Typical Likelihood of Exploit
Likelihood: High
There is high motivation for the attacker to seek out and discover
opportunities for this attack due to the power it yields.
Methods of Attack
Injection
API Abuse
Examples-Instances
Description
A transaction processing system relies on code written in a number of
languages. To access this functionality, the system passes transaction
information on the system command line.
An attacker can gain access to the system command line and execute
malicious commands by injecting these commands in the transaction data.
If successful, the attacker can steal information, install backdoors and
perform other nefarious activities that can compromise the system and
its data.
Related Vulnerabilities
A vulnerability in Mozilla Firefox 1.x browser allows an attacker
to execute arbitrary commands on the UNIX/Linux operating
system.
The vulnerability is caused due to the shell script used to launch
Firefox parsing shell commands that are enclosed within backticks in
the URL provided via the command line.
This can be exploited to execute arbitrary shell commands by
tricking a user into following a malicious link in an external
application which uses Firefox as the default browser (e.g. the mail
client Evolution on Red Hat Enterprise Linux 4).
Attacker Skills or Knowledge Required
Skill or Knowledge Level: High
The attacker needs to have knowledge of not only the application to
exploit but also the exact nature of commands that pertain to the target
operating system. This may involve, though not always, knowledge of
specific assembly commands for the platform.
Solutions and Mitigations
Use language APIs rather than relying on passing data to the oeprating
system shell or command line. Doing so ensures that the available protection
mechanisms in the language are intact and applicable.
Filter all incoming data to escape or remove characters or strings that
can be potentially misinterpreted as operating system or shell
commands
All application processes should be run with the minimal privileges
required. Also, processes must shed privileges as soon as they no longer
require them.
Attack Motivation-Consequences
Run Arbitrary Code
Privilege Escalation
Information Leakage
Injection Vector
User-controllable input used as part of operating system commands
Payload
Operating system commands injected by the attacker, intended to escalate
privilege or divulge information
Activation Zone
Underlying operating system hosting the exploited application.
Payload Activation Impact
The injected OS commands are interpreted by the shell, causing them to be
executed under the privileges of the process running the exploited
application.
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
