OS commands injection testing & defense

OS command injection is a technique used via a web interface in order to execute OS commands on a web server.

How to test for the issue

During code review

Check if any command execute methods are called and in unvalidated user input are taken as data for that command.

Besides, appending a semicolon to the end of a URL query parameter followed by an operating system command, will execute the command. %3B is URL encoded and decodes to semicolon. This is because the ; is interpreted as a command separator.

Example: 

http://sensitive/something.php?dir=%3Bcat%20/etc/passwd

If the application responds with the output of the /etc/passwd file then you know the attack has been successful. Many web application scanners can be used to test for this attack as they inject variations of command injections and test the response.

Equally Static Code Analysis tools check the data flow of untrusted user input into a web application and check if the data is then entered into a dangerous method which executes the user input as a command.

Remediation

If it is considered unavoidable the call to a system command incorporated with user-supplied, the following two layers of defense should be used within software in order to prevent attacks

Parameterization - If available, use structured mechanisms that automatically enforce the separation between data and command. These mechanisms can help to provide the relevant quoting, encoding.

Input validation - the values for commands and the relevant arguments should be both validated. There are different degrees of validation for the actual command and its arguments:

When it comes to the commands used, these must be validated against a list of allowed commands.

In regards to the arguments used for these commands, they should be validated using the following options:

Positive or allowlist input validation - where are the arguments allowed explicitly defined

Allow-list Regular Expression - where is explicitly defined a list of good characters allowed and the maximum length of the string. Ensure that metacharacters like & | ; $ > < \ \ !` and whitespaces are not part of the Regular Expression. For example, the following regular expression only allows lowercase letters and numbers, and does not contain metacharacters. The length is also being limited to 3-10 characters:

^[a-z0-9]{3,10}$

Example code - Java

Incorrect Usage

ProcessBuilder b = new ProcessBuilder("C:\DoStuff.exe -arg1 -arg2");

the command together with the arguments are passed as a one string, making easy to manipulate that expression and inject malicious strings.

Correct Usage

ProcessBuilder pb = new ProcessBuilder("TrustedCmd", "TrustedArg1", "TrustedArg2"); Map<String, String> env = pb.environment(); pb.directory(new File("TrustedDir")); Process p = pb.start();

starts a process with a modified working directory

The command and each of the arguments are passed separately which makes it easy to validate each term and reduces the risk to insert malicious strings

Navigation

Introduction

Description of method

Explanation of the technological principles (techniques) Examples Detailed description of possible security approaches and solutions Examples of two real-life cases and technical/financial/etc. damages Statistical information, comparison of data from the last few years on the use of technology Demonstration/simulation using a virtual machine Choice of a blogging tool, explanation and evaluation Conclusions/Suggestions/Guidelines/Trends/Future work more specific ones on the different types of injection: #sql #sqlinjection #ldap #oscommandinjection #commandinjection #xss