Command Injection Vulnerabilities
What is a command injection vulnerability?
Many applications are not designed to be wholly self-contained. They often access external systems as well, including databases, application programming interfaces (APIs) and others.
Some applications are designed to run commands within the terminal of the system that they are running on. For example, a program may wish to list the files within a directory and decides to accomplish it using the ls or dir commands built into the operating system.
Learn Secure Coding
This use of the underlying terminal creates risk. If an application uses untrusted user input when defining the low-level commands to be run, it may include a command injection vulnerability. An attacker can exploit this vulnerability to run their own commands on the system.
Examples of command injection vulnerabilities
Most programming languages have functions that provide the option to run commands in the terminal. Two examples of commonly-used languages with this functionality are C++ and Python.
C++
C++ is a general-use programming language with a great deal of built-in functionality. The C++ system function enables a developer to run terminal commands from within a C++ application.
The image above shows sample code for an application that is designed to print the contents of a file on the filesystem. Instead of using file streams, the program uses the system command to call the cat function with a user-provided filename.
Ideally, a user will enter a legitimate filename, resulting in the contents of the desired file being printed. If the file does not exist, nothing bad will happen either.
However, this program can be abused in a number of different ways. A few examples include:
- Reading unauthorized files: The application is designed to allow users to read files within a given directory. However, by using directory traversal (such as the use of ..), the user can view any file on the system that the application has access to
- Editing files: The use of output redirection (> or >>) could allow a user to redirect the result of printing one file to overwrite or append to another file. Depending on the user’s control of the original file and the application’s permissions levels, this could allow an attacker to add additional user accounts to the system (by editing /etc/shadow) or taking similar malicious actions
- Running unauthorized commands: The Linux and Windows terminals both support command chaining. On Linux, providing an input of filename.txt; netstat would print the contents of the file named filename.txt, then print information about the machine’s current network connections
Python
Python is one of the most popular programming languages in existence. It provides developers with access to the terminal via its subprocess library.
The application above is designed to take advantage of the grep command on the Linux terminal. grep allows files in a directory to be searched for data that matches a particular regular expression. The use of the -r flag, as in the code sample above, performs this search recursively within a given directory.
The sample code above is designed to allow the user to provide a directory and a search pattern and to return any results that match that pattern within the defined directory tree. It accomplishes this using the call function from the Python subprocess library.
As in the previous example, the use of the Linux terminal combined with untrusted user input means that this application is vulnerable to command injection. A malicious user could provide malicious input for the pattern and/or dir variables that is designed to terminate the command and run another or to redirect the output of the grep command to another file. Depending on the permissions associated with this application, this could allow an attacker to abuse the application in a number of different ways.
Remediating command injection vulnerabilities
Command injection vulnerabilities exist when an application makes use of the Linux or Windows terminal or a similar external resource. If untrusted user input is used in terminal commands, there is the potential that a malicious user could subvert a command or run their own commands in the terminal.
The simplest way to remediate command injection vulnerabilities is to not use the terminal at all. Most uses of the terminal could also be accomplished with library functions with much less risk. Whenever possible, terminal access should be removed from an application.
If access to the terminal is necessary within an application and it must use untrusted user input, then input sanitization is necessary. Blocking or escaping common terminal control characters, while not a perfect solution, can decrease the exploitability of command injection vulnerabilities.
Learn Secure Coding
Sources
- Command Injection, OWASP
- system, C++ Reference
- grep(1) — Linux manual page, man7.org
- 17.1. subprocess — Subprocess management, docs.python.org
Learn Secure Coding
Get hands-on experience with common coding mistakes, how they can be exploited and possible mitigations. Learn secure coding in:- Android and iOS
- C/C++, Java, .NET and PHP
- And more
In this Series
- Command Injection Vulnerabilities
- Enhancing code security: Tools and techniques for safeguarding your code
- DevSecOps Tools of the trade
- Software dependencies: The silent killer behind the world's biggest attacks
- Software composition analysis and how it can protect your supply chain
- Only 20% of new developers receive secure coding training, says report
- Introduction to Secure Software Development Life Cycle
- How to control the flow of a program in x86 assembly
- Mitigating MFA bypass attacks: 5 tips for developers
- How to diagnose and locate segmentation faults in x86 assembly
- How to use the ObjDump tool with x86
- Debugging your first x86 program
- How to build a program and execute an application entirely built in x86 assembly
- Overview of common x86 instructions
- x86 basics: Data representation, memory and information storage
- What is x86 assembly?
- Introduction to x86 assembly and syntax
- Introduction to variables
- How to mitigate Race Conditions vulnerabilities
- How to avoid Cryptography errors
- Cryptography errors Exploitation Case Study
- How to exploit Cryptography errors in applications
- How to exploit race conditions
- Email-based attacks with Python: Phishing, email bombing and more
- Attacking Web Applications With Python: Recommended Tools
- Attacking Web Applications With Python: Exploiting Web Forms and Requests
- Attacking Web Applications With Python: Web Scraper Python
- Python for Network Penetration Testing: Best Practices and Evasion Techniques
- Python for network penetration testing: Hacking Windows domain controllers with impacket Python tools
- Python Language Basics: Variables, Lists, Loops, Functions and Conditionals
- How to Mitigate Poor HTTP Usage Vulnerabilities
- How to Exploit Poor HTTP Usage
- Introduction to HTTP (What Makes HTTP Vulnerabilities Possible)
- How to Mitigate Integer Overflow and Underflow Vulnerabilities
- How to exploit integer overflow and underflow
- Introduction to Parallel Processing
- What are Race Conditions?
- How Are Credentials Used In Applications?
- How To Exploit Least Privilege Vulnerabilities
- XSS Vulnerabilities Exploitation Case Study
- What is is integer overflow and underflow?
- SQL Injection Vulnerabilities Exploitation Case Study
- How to exploit improper error handling
- Improper Error Handling Exploitation Case Study
- Why Improper Error Handling Happens
- How to exploit CSRF Vulnerabilities
- How to mitigate CSRF Vulnerabilities
- What Causes Command Injection Vulnerabilities? (How are Data and Code Handled in Execution Environments)
- Command Injection Vulnerabilities
- Command Injection Vulnerabilities Exploitation Case Study
- How to mitigate Command Injection Vulnerabilities
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Secure coding