What Causes Command Injection Vulnerabilities? (How are Data and Code Handled in Execution Environments)
Introduction:
This article provides an overview of how command injection vulnerabilities occur and what are some of the causes for command injection vulnerabilities. As mentioned in the previous article, command injection vulnerabilities are one of the most dangerous web vulnerabilities and thus it is important for developers to understand the causes, to be able to avoid these vulnerabilities.
Learn Secure Coding
What causes command injection?
Following are two most common reasons why Command Injections occur in web applications.
- Applications taking operating system commands as input and executing them.
- Applications taking data from the user and executing them as OS commands without properly validating.
Let us discuss these two items in detail.
Applications taking OS commands as input:
Let us consider PHP File Manager 0.9.8 as an example. When opened in a browser, it looks as follows.
As you can notice in the preceding picture, there is an option to Execute command. Clicking this button, shows the following.
As we can see, there is an option to execute commands. If a user enters any operating system commands, they will be executed by the underlying operating system as follows.
As we can see in the main menu of the application, there is another feature where the application allows the user to get an interactive shell and users can execute commands as shown in the following figure.
Clearly, features like these, which come by design will cause command injection attacks.
Applications taking data and executing it as commands:
The previous example shows an example of how commands can be taken as user input and executed by the applications. Developers are often aware of such features in their applications, as they get introduced by design.
Now, let us consider the following URL from an application, where the user enters data to be encoded by the application.
This user input is passed as a get parameter to encode.php file.
Following is the source code of encode.php
$input=$_GET['text'];
system("echo -n". $input." | base64");
?>
As we can notice from the preceding code snippet, the user input is passed to the php system() function, which is used to execute operating system commands in PHP.
The application is expecting data as user input so that it can be processed by the application. However, let us consider the following URL with an operating system command appended to user data.
If the application receives this input and treats it as data, there is no problem. The entire user supplied input will be base64 encoded and it will be returned back to the user.
Learn Secure Coding
However, if the application receives this input and treats it as code instead of data, that will cause command injection.
Let us closely observe what happens when the preceding URL is used by a user. The following is passed as an argument to PHP system() function.
As we can notice in the preceding excerpt, the argument is splitted into two different commands. The data test;id is passed to the application and because of the shell metacharacter (;) the text id turns into code and the output of the command id will be passed to base64 command.
Following is the response returned to the user.
As we can see the word test is not encoded but there is a long encoded text returned in response, because the output of id command is passed to base64 command. Decoding this text looks as follows.
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$
As you can notice, the encoded text is the output of the id command passed to the application.
When applications receive user input, if it is expected to be data the applications must treat it as data. If this user supplied data is appended to existing commands by the application, without sanitizing it; it will lead to vulnerabilities like command injection as the data is treated as code. The data must be treated as data and it must not be treated as code.
Learn Secure Coding
Conclusion:
This article has provided an overview of why command injection vulnerabilities occur. While some applications become vulnerable to command injection due to poor design choices, some applications become vulnerable due to insecure coding practices. When developers expect applications to process user supplied data, care must be taken and appropriate validation must take place to prevent injection class of vulnerabilities.
Sources:
- https://owasp.org/www-community/attacks/Command_Injection
- https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection
Learn Secure Coding Fundamentals
Discover how to recognize common software mistakes, how those mistakes are exploited by attackers and how you can mitigate them. What you'll learn:- Buffer overflows
- SQL injections
- Credential management
- Mitigating with secure code
- And more
In this Series
- What Causes Command Injection Vulnerabilities? (How are Data and Code Handled in Execution Environments)
- Enhancing code security: Tools and techniques for safeguarding your code
- DevSecOps Tools of the trade
- Software dependencies: The silent killer behind the world's biggest attacks
- Software composition analysis and how it can protect your supply chain
- Only 20% of new developers receive secure coding training, says report
- Introduction to Secure Software Development Life Cycle
- How to control the flow of a program in x86 assembly
- Mitigating MFA bypass attacks: 5 tips for developers
- How to diagnose and locate segmentation faults in x86 assembly
- How to use the ObjDump tool with x86
- Debugging your first x86 program
- How to build a program and execute an application entirely built in x86 assembly
- Overview of common x86 instructions
- x86 basics: Data representation, memory and information storage
- What is x86 assembly?
- Introduction to x86 assembly and syntax
- Introduction to variables
- How to mitigate Race Conditions vulnerabilities
- How to avoid Cryptography errors
- Cryptography errors Exploitation Case Study
- How to exploit Cryptography errors in applications
- How to exploit race conditions
- Email-based attacks with Python: Phishing, email bombing and more
- Attacking Web Applications With Python: Recommended Tools
- Attacking Web Applications With Python: Exploiting Web Forms and Requests
- Attacking Web Applications With Python: Web Scraper Python
- Python for Network Penetration Testing: Best Practices and Evasion Techniques
- Python for network penetration testing: Hacking Windows domain controllers with impacket Python tools
- Python Language Basics: Variables, Lists, Loops, Functions and Conditionals
- How to Mitigate Poor HTTP Usage Vulnerabilities
- How to Exploit Poor HTTP Usage
- Introduction to HTTP (What Makes HTTP Vulnerabilities Possible)
- How to Mitigate Integer Overflow and Underflow Vulnerabilities
- How to exploit integer overflow and underflow
- Introduction to Parallel Processing
- What are Race Conditions?
- How Are Credentials Used In Applications?
- How To Exploit Least Privilege Vulnerabilities
- XSS Vulnerabilities Exploitation Case Study
- What is is integer overflow and underflow?
- SQL Injection Vulnerabilities Exploitation Case Study
- How to exploit improper error handling
- Improper Error Handling Exploitation Case Study
- Why Improper Error Handling Happens
- How to exploit CSRF Vulnerabilities
- How to mitigate CSRF Vulnerabilities
- Command Injection Vulnerabilities
- Command Injection Vulnerabilities Exploitation Case Study
- How to mitigate Command Injection Vulnerabilities
- How to exploit SQL Injection Vulnerabilities
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Secure coding