Command (shell) injection example

examples speak louder than explanations!

e.g., a web-based CGI program allows users to change their passwords -> this program has a command to rebuild some password records by running the make command in the /var/yp directory:

system("cd /var/yp && make &> /dev/null");

unlike the previous examples, the command is hardcoded, so an attacker cannot control the argument passed to system(). seems safe, right? nuh-uh :)

key vulnerabilities:

program does not specify an absolute path for make, and does not scrub any environment variables prior to invoking the command

->

attacker can modify their $PATH to point to a malicious version of make, therefore their malicious version of make is executed instead of the intended /usr/bin/make

setuid root runs with root privileges, even if a regular user runs it. so, malicious version of make now runs with root privileges

btw, using Java at this point is more safe

Runtime.getRuntime().exec("cd /var/yp && make");

and here is why:

Runtime.exec does NOT try to invoke the shell at any point: it tries to split the string into an array of words, then executes the first word in the array with the rest of the words as parameters

therefore, it does not go through chaining commands using “&”, “&&”, “|”, “||”, etc, redirecting input and output and any mischief would simply end up as a parameter being passed to the first command, and likely causing a syntax error, or being thrown out as an invalid parameter

https://bit.ly/4a2jHiK - 🌍 Zyxel has issued a security advisory for multiple vulnerabilities in their NAS products, specifically addressing an authentication bypass and several command injection issues. The vulnerabilities, identified by CVE numbers CVE-2023-35137, CVE-2023-35138, CVE-2023-37927, CVE-2023-37928, CVE-2023-4473, and CVE-2023-4474, pose significant risks to system security. Users are strongly advised to update their devices with the latest patches provided by Zyxel for enhanced protection. #CyberSecurity #ZyxelNAS #VulnerabilityUpdate 🔒 The identified vulnerabilities vary in their nature and potential impact. They range from improper authentication in the authentication module (CVE-2023-35137) to several command injection vulnerabilities in different components of Zyxel NAS devices (CVE-2023-35138, CVE-2023-37927, CVE-2023-37928, CVE-2023-4473, CVE-2023-4474). These vulnerabilities could allow both unauthenticated and authenticated attackers to execute operating system commands, leading to possible unauthorized access and control. #NetworkSecurity #CommandInjection #AuthenticationBypass 🔎 Affected Zyxel NAS models include NAS326 and NAS542, with specific firmware versions listed as vulnerable. Users of these models should refer to the advisory for the appropriate firmware patches. Zyxel’s proactive approach in identifying and addressing these issues reflects their commitment to customer security and product integrity. #FirmwareUpdate #NASsecurity #ZyxelAdvisory 💡 The discovery of these vulnerabilities was made possible thanks to the efforts of security researchers Maxim Suslov, Attila Szász from BugProve, and Drew Balfour from IBM X-Force. Their contributions underscore the importance of collaborative security research in identifying and mitigating potential cyber threats. #CyberResearch #CollaborativeSecurity #ThreatIntelligence 📅 As of November 30, 2023, Zyxel has released the initial advisory with detailed information on the vulnerabilities and the available patches. Users are encouraged to contact their local service representatives or visit Zyxel’s Community for additional information and support in addressing these security concerns.

DVWA Tutorial #3 - Command Injection

This method or attack is the most severe and common form of attack according to the OWASP Top 10 list. It is also perhaps the most interesting attack I’ve ever done from my limited experience. A quick definition from OWASP follows:

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

1. Probing

So the DVWA command injection page looks like this:

(Note: the links in the More Information section are REALLY helpful).

So quickly testing with a valid IP address:

And with an invalid address:

I also tried inputing nothing and pressing submit:

So this this shows that the application simply passes our input as an argument to the console command ping. i.e. it executes “ping [input]” and we see that output of our command in red.  If it doesnt work, then nothing happens.

2. Chaning Commands

We can execute more commands after our input by chaining them. Different operating systems will use different characters to chain. In linux, we can use ‘;’ to make commands run sequenctially or ‘&’  to make a command run in te background, In Windows, we can simply use ‘&’. If ‘;’ doesnt work, then we can conclude that the OS is Windows and vice versa.

3. Command Injection Attack

Basically, if the app doesn’t have any delimeter or character bans (to prevent ';' '&' or '|') then we can simply trick the app to continue executing any of the commands we want.  

So a basic attack string would be

127.0.0.1 & hostname

Now it turns out you can run basically anything according to the OS. A bunch of other commands I tried was cd, dir, mkdir, del, echo, more, ipconfig, find, and whoami?

This was the output after making a directory called ‘hello’:

It was also interesting to see that localhost and ::1 were valid ping adresses. But I am no computer expert so I have no idea why these are valid.

OS Command Injection

Testing OS Command Injection

OS Command Injection is one of my favorite vulnerabilities to find, because typically it allows you to perform any action you choose on the vulnerable server. I see this most commonly in PHP websites on LINUX/UNIX but Perl can also be susceptible. I assume windows machines can be susceptible as well, but I would be curious to see if anyone has seen this in the wild... let me know in the comments below.

Risk

The risk is virtually unlimited with this vulnerability and is left to the creativity of the attacker, they can likely execute any command they desire on the vulnerable machine including reading the shadow file, executing a reverse shell or SSH daemon. Any data on the machine can be captured and the web server can be used in a pivot attack to attack any other server on the local network or VLAN.

Testing

To test for OS command injection the goal is to break out of the web application and execute a shell command on the underlying operating system. I will typically try entering very simple linux commands like:

;ls

or

;echo 76598

By using one of these commands I can quickly identify whether I have been successful escaping the application. If you get errors, read through the error and see if you can come up with a way to circumvent whatever is preventing the execution, you may just need to encode the above strings as URL or HTML to get around weak input validation.

I also look for functions that are easily performed on the linux OS like the whois command in the example below... these can be obvious targets. Once you get a command to execute, now you can send any command you like to prove your point, usually cat /etc/passwd will suffice.

Example

The following test website can be used to understand this vulnerability:

http://www.webscantest.com/osrun/whois.php

Here we find a website that provided whois lookups for IP Addresses:

While this actual website provides no client-side input validation on this form, we are going to assume it does so that we can illustrate testing to a better degree. So let's assume we get an error when pressing the lookup button after entering one of our test strings.

Next we utilize a local proxy to intercept the HTTP Request for a valid request and modify the HTTP Request itself:

We will change:

POST /osrun/whois.php HTTP/1.1 Host: www.webscantest.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://www.webscantest.com/osrun/whois.php Cookie: TEST_SESSIONID=40er9ao4b7rilr2o9s65gp4fp4; NB_SRVID=srv140700 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 27 domain=4.2.2.1

To:

POST /osrun/whois.php HTTP/1.1 Host: www.webscantest.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://www.webscantest.com/osrun/whois.php Cookie: TEST_SESSIONID=40er9ao4b7rilr2o9s65gp4fp4; NB_SRVID=srv140700 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 27 domain=4.2.2.1%3Becho+76598

Now when we search the page source for our string we see that we have gotten just the string back, indicating that our echo command was successful:

Now that we know we can execute commands lets try something a little more useful:

;cat /etc/passwd

This now lists all users on the machine and their login capabilities:

we can also see what applications we have at our disposal and attempt to run root level apps by running a list of the bin and sbin directories:

;ls /bin;ls/sbin

Like I said, what you can do is now limited to the creativity of the attacker.

Remediation

So how to we protect or prevent this vulnerability? it can either be prevented programmatically, or using a Web Application Firewall.

Programmatically

This is your basic input validation vulnerability. To prevent these types of attacks server-side input validation must take place on all form fields, and restrict all malicious meta characters, it is likely going to be more effective to allow all acceptable meta characters than try to restrict bad ones. Or better yet use API calls instead if the program is architected in this way.

Web Application Firewall (WAF)

It is important to note that your stateful network firewall, also called a firewall, offers you no protection here, none. if you hope to protect your application from application layer threats you will have to utilize a web application firewall (WAF) like Imperva Incapsula. A WAF will inspect HTTP and HTTPS requests for known vulnerabilities, including XSS, SQL Injection, Command Injection and a number of others. Web application firewalls are an excellent way of protecting your website from application layer attacks.

Cisco Addressed Multiple High-Risk Vulnerabilities In SD-WAN Solution #arbitrarycodeexecution #arbitrarycommands #bug #cisco #ciscopatches #ciscosd-wansolution #commandinjection #flaw #localprivilegeescalation #privilegeescalation #sd-wansolution #sd-wansolutionvulnerability #unauthenticatedaccess #unauthorisedremoteaccesscisco #userauthentication #vulnerability #hacking #hacker #cybersecurity #hack #ethicalhacking #hacknews

Command Injection

CommandInjection

Bu uygulama örneğinde, DVWA adlı web uygulamasının içerisinde bulunan bir sayfanın güvenlik zafiyetinden faydalanarak CommandInjection saldırısı gerçekleştirilmiştir. İlgili uygulamanın senaryosu, hedef sistemin zafiyet bulunan sayfasına “HackedByScriptKiddies” yazısını yazdırma işlemidir.

Uygulamaya Hazırlık

Uygulamanın gerçekleştirilmesinden önce bahsi geçen programın…

View On WordPress

A commandinjection vulnerability exists in a web application on a customb

SNPX.com : http://dlvr.it/NcWQTp

Kioptrix 1.1 CTF DONE #vulnhub #infosec #hacking #ctf #cybersecurity #SQLI #kali #kioptrix Segunda máquina de la serie Kioptrix vulnerada!. Aquí teneís la guía de explotación espero que os guste.

Command (shell) injection

involves execution of arbitrary commands on the host operating system via a vulnerable application

applies to most systems which allow software to o programmatically execute a command line

examples speak louder than explanations!

vulnerable tcsh script looks as follows:

# !/bin/tcsh

# check arg outputs it matches if arg is one

if ($1 == 1) echo it matches

the script does not properly validate input argument: tsch interprets everything within the parentheses () as part of the if statement

so it is possible to run the following script:

./check "1 ) evil "

if statement now is:

if (1 ) evil == 1)

which is invalid syntax in normal scenario, however! because of shell parsing quirks it will execute evil command:

tcsh stops processing the if condition at the first syntax it recognises as complete (in our case, if (1 ))

then it sees evil as a standalone command (because it is separated from the if statement by parethesis) and interprets is as an executable command

! any function that can be used to compose and run a shell command is a potential vehicle for launching a shell injection attack e. g. :

system(), StartProcess(), System.Diagnostics.Process.Start().

https://bit.ly/3Op1x2F - 🔎 Sternum recently reverse-engineered the Wemo Mini Smart Plug V2, a popular device aiding users in remote control of electric devices. A buffer overflow vulnerability, coined as the 'FriendlyName', was discovered which could potentially be used for remote command injection. #Wemo #SmartPlug #CyberSecurity 🔧 Gaining firmware access to the device was a challenge, but through booting into recovery mode and changing the root password, Sternum gained system access. Various tools were then uploaded to the device for debugging purposes. #Firmware #Debugging 🐞 The 'FriendlyName' vulnerability was pinpointed after bypassing app restrictions and identifying the processes handling this variable. However, uncovering the exact source of heap metadata corruption required more in-depth analysis. #Vulnerability #HeapCorruption 🎯 The breaking point was identified via a gdb script tracking down the bug causing heap corruption. Observing the $pc pointer's behaviour during an overflow incident shed light on the potential exploitation of the vulnerability. #Exploit #ROPchains 💻 Sternum exploited the vulnerability using a binary exploitation technique known as ROP chains. Despite limitations due to the Wemo_ctrl loading address and the 80-byte payload size, a successful command injection was achieved through the snprintf() function. #BinaryExploitation #CommandInjection 📬 Sternum disclosed the vulnerability to Belkin via Bugcrowd on January 9th, 2023. However, Belkin responded stating that the device is at the end of its life and will not address the vulnerability. This leaves a potential attack vector open via the Wemo infrastructure. #Disclosure #SecurityAdvisory ⚠️ Users are advised to exercise caution when using Wemo Mini Smart Plug V2 due to the unaddressed 'FriendlyName' vulnerability.

Navigation

Introduction

Description of method

Explanation of the technological principles (techniques) Examples Detailed description of possible security approaches and solutions Examples of two real-life cases and technical/financial/etc. damages Statistical information, comparison of data from the last few years on the use of technology Demonstration/simulation using a virtual machine Choice of a blogging tool, explanation and evaluation Conclusions/Suggestions/Guidelines/Trends/Future work more specific ones on the different types of injection: #sql #sqlinjection #ldap #oscommandinjection #commandinjection #xss

‘SurfingAttack’ Uses Ultrasonic Waves to Activate Siri/Google And Take Over Mobile Devices #androidsmartphone #appleiphone #applesiri #applevoiceassistant #arbitrarycommands #audioinjection #authentication #bypassiphonelock #command #commandinjection #flaw #googleassistant #hackiphone #hackingiphonex #hackingvoiceassistant #huawei #huaweismartphones #iphone #iphone10 #iphone5 #iphone5s #iphone6 #motorolla #samsung #samsunggalaxys7 #samsungs9 #siri #smartassistant #smartcar #smartdevices #smarthomedevices #smarthomes #smartphone #smartphones #userauthentication #voicecommandinjection #voiceinjection #xiaomi #hacking #hacker #cybersecurity #hack #ethicalhacking #hacknews

Serious Vulnerabilities Impacted Ruckus Wireless Router Firmware #bug #commandinjection #firmware #firmwarevulnerability #flaw #hackedrouter #homerouter #infectedrouter #information #informationdisclosure #injection #leakedinformation #remoteattacks #remotecode #remotecodeexecution #router #routervulnerability #routers #ruckusrouterfirmwarevulnerabilities #ruckusrouterflaws #ruckusroutervulnerability #ruckusroutervulnerable #ruckusrouters #securityflaw #securityvulnerabilities #unauthenticatedaccess #usersinformation #vulnerability #wififirmware #wifinetwork #hacking #hacker #cybersecurity #hack #ethicalhacking #hacknews