What are the command injection vulnerabilities?



How Command Injection vulnerabilities allow attackers to take control of your machine and how you can prevent these vulnerabilities.

Photo by Athul Cyriac Ajay on Unsplash

Command injection vulnerabilities are probably one of the most dangerous vulnerabilities that can arise in an application.

Command injection vulnerabilities, or operating system command injection vulnerabilities, occur when an application allows user input to be mistaken for system commands. This happens when user input is concatenated directly into a system command without proper precautions. Let’s understand them with an example!

Calling system commands in code

Let’s say your web application has a feature that allows a user to download a web page through your site. To achieve this functionality, you use Python to run the wget system command to download the web page. This is what your code looks like:

import os
def download(url):
os.system("wget -O- {}".format(url))

You first define a function called download, which calls wget to download the content from the passed URL. It then calls download on a user-supplied entry and displays the results.

If a user submits the following request, the app will download the Google home page and display it again to the user:

GET /download?url=google.com
Host: example.com

How do command injections happen?

On the Linux command line, the semicolon (;) character separates
individual orders. And since user input here is passed directly to a system command, an attacker can execute arbitrary commands after the wget command by submitting the command of his choice after a semicolon.

For example, what if a malicious user submits this request?

GET /download?url=google.com;ls
Host: example.com

This request would cause the application to execute both wget -O-google.com and ls, which displays the contents of the current directory. Since the application will then display the results of the command to the user, the malicious user will also be able to read the output of the ls command.

Likewise, attacker can also read sensitive files with this vulnerability:

GET /download?url=google.com;cat /etc/shadow
Host: example.com

/ etc / shadow is a file on Unix systems that stores hashed user passwords.

The attacker would be able to execute all the system commands that the user running the web application is allowed to execute. For example, they may be able to read sensitive files, reach and operate other machines on the local network, or modify files on the server.

How can I prevent command injections?

So how can you prevent command injection vulnerabilities in code? To prevent command injections, you should avoid inserting user input directly into system commands.

The first alternative strategy you can use is to use the programming language system APIs instead of directly calling system (). Most programming languages ​​have built-in functions that allow you to execute common system commands without risking command injection. For example, PHP has a function named mkdir (DIRECTORY_NAME). You can use it to create new directories instead of calling system (“mkdir DIRECTORY_NAME”).

If you must insert user input into system commands, implement strong input validation before passing user input into a system command. You can use a string or character permission list to specify allowed values ​​and reject any other user input that does not conform to this format. For example, if you want to allow users to read a subset of system files using a system command, you can create a list of allowed file names and reject all other entries. You can also use regular expressions to limit user input to a specific subset of characters to prevent users from submitting special characters that can allow them to manipulate system commands. For example, this regex string will limit user input to alphanumeric characters and limit user input to 15 characters: ^[A-Za-z0–9]{$ 1.15}.

Defense-in-depth strategies

Finally, there are also defense-in-depth strategies that can help you minimize the risk of command injections. First, you can deploy a WAF (Web Application Firewall) to help filter out suspicious user input.

You should also run your application with only the privileges that it needs to perform its tasks. For example, when an application only requires read access to a file, it should not be granted write or execute permission. This is called the “principle of least privilegeâ€. This practice will reduce the risk of system compromise during an attack, as attackers will not be able to access sensitive files and operations even if they get command injection on the application.

How can I find command injections in my code?

Command injection vulnerabilities have specific signatures in code, such as passing user-supplied or user-modified input into unsafe system commands. This is why code analysis or static analysis is the most efficient way to discover command injections in your applications. The ShiftLeft NG-SAST Static Analysis Tool can find command injection bugs in your code and help you fix them. Learn more by visiting us here.

Thanks for reading! What’s the hardest part of developing secure software for you? I would like to know. Do not hesitate to connect on Twitter @ vickieli7.

What are the command injection vulnerabilities? was originally posted in ShiftLeft Blog on Medium, where people continue the conversation by highlighting and responding to this story.

*** This is a Syndicated Security Bloggers Network blog from ShiftLeft Blog – Medium written by Vickie Li. Read the original post at: https://blog.shiftleft.io/what-are-command-injection-vulnerabilities-d3127afd78c4?source = rss —- 86a4f941c7da — 4


Leave A Reply

Your email address will not be published.