Command Injection

From Guidance Share

Jump to: navigation, search

Contents

Description

Command injection problems are a subset of injection problem, in which the process is tricked into calling external processes of the attackers choice through the injection of control-plane data into the data plane.

Applies To

  • Language: Any
  • Platform: Any

Example

The following code is wrapper around the UNIX command cat which prints the contents of a file to standard out. It is also injectable:

#include <stdio.h>
#include <unistd.h>
int main(int argc, char **argv) { 
 char cat[] = "cat "; 
 char *command; 
 size_t commandLength; 
 commandLength = strlen(cat) + strlen(argv[1]) + 1; 
 command = (char *) malloc(commandLength); 
 strncpy(command, cat, commandLength); 
 strncat(command, argv[1], (commandLength - strlen(cat)) );
 system(command); 
 return (0);
}

Used normally, the output is simply the contents of the file requested:

$ ./catWrapper Story.txt
When last we left our heroes...

However, if we add a semicolon and another command to the end of this line, the command is executed by catWrapper with no complaint:

$ ./catWrapper Story.txt; ls
When last we left our heroes...
Story.txt doubFree.c nullpointer.c
unstosig.c www* a.out*
format.c strlen.c useFree*
catWrapper* misnull.c strlength.c useFree.c commandinjection.c nodefault.c trunc.c writeWhatWhere.c

If catWrapper had been set to have a higher privilege level than the standard user, arbitrary commands could be executed with that higher privilege.

Impact

  • Access control: Command injection allows for the execution of arbitrary commands and code by the attacker.

Vulnerabilities

  • Failure to validate user input when input is used to drive the creation of, or parameters to, a new process.

Countermeasures

  • Design: If at all possible, use library calls rather than external processes to recreate the desired functionality
  • Implementation: Ensure that all external commands called from the program are statically created, or -- if they must take input from a user -- that the input and final line generated are vigorously white-list checked.

Vulnerability Patterns

How Tos

Personal tools