OWASP - User contributions [en]

Inyección De Comandos En Java

2012-12-04T14:27:10Z

José Luis Escobar: Created page with "==Estado== Review ==Introducción== Las vulnerabilidades de este tipo permiten a un atacante inyectar arbitrariamente comandos del sistema en una aplicación. Estos comandos..."

==Estado==
Review

==Introducción==
Las vulnerabilidades de este tipo permiten a un atacante inyectar arbitrariamente comandos del sistema en una aplicación. Estos comandos se ejecutan al mismo nivel de privilegios que la aplicación Java y proveen al atacante una funcionalidad similar a la de una Shell de Sistema Operativo. En Java, Runtime.exec es comúnmente usado para invocar a un nuevo proceso, pero esto no invoca una nueva Shell de comandos, lo que significa que usualmente encadenando o entubando múltiples comandos juntos no funciona. La inyección de comandos sin embargo es posible si el proceso engendrado con Runtime.exec es una Shell como command.com, cmd.exe o /bin/sh..

==Ejemplos ==

===Ejemplo 1===

El código detallado a continuación permite a un usuario el control de los argumentos del comando de Windows find. Mientras el usuario no posea control absoluto sobre los argumentos, no es posible inyectar comandos adicionales. Por ejemplo, ingresando “test & del file” no causará que el comando del se ejecute. Dado que Runtime.exec tokeniza la cadena de comando y luego invoca el comando find usando los parámetros “test”, “&”, “del” y “file”.

<pre>
import java.io.*;

public class Example1 {
public static void main(String[] args)
throws IOException {
if(args.length != 1) {
System.out.println("No arguments");
System.exit(1);
}
Runtime runtime = Runtime.getRuntime();
Process proc = runtime.exec("find" + " " + args[0]);

InputStream is = proc.getInputStream();
InputStreamReader isr = new InputStreamReader(is);
BufferedReader br = new BufferedReader(isr);

String line;
while ((line = br.readLine()) != null) {
System.out.println(line);
}
}
}
</pre>

===Ejemplo 2===

El código a continuación invoca una shell del sistema para ejecutar un commando no ejecutable usando lo ingresado por el usuario como parámetros. Comandos de Windows no ejecutables tales como dir y copy son parte del intérprete de comandos y por ende no pueden ser directamente invoados por Runtime.exec. En este caso, la inyección de comandos es posible y un atacante puede encadenar múltiples comandos juntos. Por ejemplo ingresando, “.& echo hello” causará que el comando dir liste los contenidos del directorio actual y el comando echo imprima un mensaje de saludo.

<pre>
import java.io.*;

public class Example2 {
public static void main(String[] args)
throws IOException {
if(args.length != 1) {
System.out.println("No arguments");
System.exit(1);
}
Runtime runtime = Runtime.getRuntime();
String[] cmd = new String[3];
cmd[0] = "cmd.exe" ;
cmd[1] = "/C";
cmd[2] = "dir " + args[0];
Process proc = runtime.exec(cmd);

InputStream is = proc.getInputStream();
InputStreamReader isr = new InputStreamReader(is);
BufferedReader br = new BufferedReader(isr);

String line;
while ((line = br.readLine()) != null) {
System.out.println(line);
}
}
}
</pre>

==Mejores Prácticas ==

Los desarrolladores deben evitar invocar la shell usando Runtime.exec para llamar a comandos del sistema operativo y en su defecto deben usar la API de Java. Por ejemplo, en vez de llamar lsor dir desde la sell se debe usar la clase Java File para la función de listado. Si es necesario que el usuario deba ingresar datos y pasarlos hacía Runtime.exec, y luego usar expresiones regulares para validar el ingreso.

[[Category:OWASP Java Project]]

Command injection in Java

2012-12-04T14:27:02Z

José Luis Escobar:

==Status==
Review

==Overview==
Command injection vulnerabilities allow an attacker to inject arbitrary system commands into an application. The commands execute at the same privilege level as the Java application and provides an attacker with functionality similar to a system shell. In Java, Runtime.exec is often used to invoke a new process, but it does not invoke a new command shell, which means that chaining or piping multiple commands together does not usually work. Command injection is still possible if the process spawned with Runtime.exec is a command shell like command.com, cmd.exe, or /bin/sh.

==Examples ==

===Example 1===

The code below allows a user to control the arguments to the Window's ''find'' command. While the user does have full control over the arguments, it is not possible to inject additional commands. For example, inputting “test & del file” will not cause the ''del'' command to execute, since Runtime.exec tokenizes the command string and then invokes the ''find'' command using the parameters “test”, “&”, “del”, and “file.”

<pre>
import java.io.*;

public class Example1 {
public static void main(String[] args)
throws IOException {
if(args.length != 1) {
System.out.println("No arguments");
System.exit(1);
}
Runtime runtime = Runtime.getRuntime();
Process proc = runtime.exec("find" + " " + args[0]);

InputStream is = proc.getInputStream();
InputStreamReader isr = new InputStreamReader(is);
BufferedReader br = new BufferedReader(isr);

String line;
while ((line = br.readLine()) != null) {
System.out.println(line);
}
}
}
</pre>

===Example 2===

The code below invokes the system shell in order to execute a non-executable command using user input as parameters. Non-executable Window's commands such as ''dir'' and ''copy'' are part of the command interpreter and therefore cannot be directly invoked by Runtime.exec. In this case, command injection is possible and an attacker could chain multiple commands together. For example, inputting “. & echo hello” will cause the ''dir'' command to list the contents of the current directory and the ''echo'' command to print a friendly message.

<pre>
import java.io.*;

public class Example2 {
public static void main(String[] args)
throws IOException {
if(args.length != 1) {
System.out.println("No arguments");
System.exit(1);
}
Runtime runtime = Runtime.getRuntime();
String[] cmd = new String[3];
cmd[0] = "cmd.exe" ;
cmd[1] = "/C";
cmd[2] = "dir " + args[0];
Process proc = runtime.exec(cmd);

InputStream is = proc.getInputStream();
InputStreamReader isr = new InputStreamReader(is);
BufferedReader br = new BufferedReader(isr);

String line;
while ((line = br.readLine()) != null) {
System.out.println(line);
}
}
}
</pre>

==Best Practices ==

Developers should avoid invoking the shell using Runtime.exec in order to call operating system specific commands and should use Java APIs instead. For example, instead of calling ''ls'' or ''dir'' from the shell use the Java File class and the list function. If it is necessary to accept user input and pass it to Runtime.exec, then use regular expressions to validate the input.

#'''Traduccion en Español: ''' [[Inyección De Comandos En Java]]

[[Category:OWASP Java Project]]

Command injection in Java

2012-12-04T14:25:43Z

José Luis Escobar:

Command injection in Java

2012-12-04T14:25:15Z

José Luis Escobar:

==Status==
Review

==Overview==
Command injection vulnerabilities allow an attacker to inject arbitrary system commands into an application. The commands execute at the same privilege level as the Java application and provides an attacker with functionality similar to a system shell. In Java, Runtime.exec is often used to invoke a new process, but it does not invoke a new command shell, which means that chaining or piping multiple commands together does not usually work. Command injection is still possible if the process spawned with Runtime.exec is a command shell like command.com, cmd.exe, or /bin/sh.

==Examples ==

===Example 1===

The code below allows a user to control the arguments to the Window's ''find'' command. While the user does have full control over the arguments, it is not possible to inject additional commands. For example, inputting “test & del file” will not cause the ''del'' command to execute, since Runtime.exec tokenizes the command string and then invokes the ''find'' command using the parameters “test”, “&”, “del”, and “file.”

<pre>
import java.io.*;

public class Example1 {
public static void main(String[] args)
throws IOException {
if(args.length != 1) {
System.out.println("No arguments");
System.exit(1);
}
Runtime runtime = Runtime.getRuntime();
Process proc = runtime.exec("find" + " " + args[0]);

InputStream is = proc.getInputStream();
InputStreamReader isr = new InputStreamReader(is);
BufferedReader br = new BufferedReader(isr);

String line;
while ((line = br.readLine()) != null) {
System.out.println(line);
}
}
}
</pre>

===Example 2===

The code below invokes the system shell in order to execute a non-executable command using user input as parameters. Non-executable Window's commands such as ''dir'' and ''copy'' are part of the command interpreter and therefore cannot be directly invoked by Runtime.exec. In this case, command injection is possible and an attacker could chain multiple commands together. For example, inputting “. & echo hello” will cause the ''dir'' command to list the contents of the current directory and the ''echo'' command to print a friendly message.

<pre>
import java.io.*;

public class Example2 {
public static void main(String[] args)
throws IOException {
if(args.length != 1) {
System.out.println("No arguments");
System.exit(1);
}
Runtime runtime = Runtime.getRuntime();
String[] cmd = new String[3];
cmd[0] = "cmd.exe" ;
cmd[1] = "/C";
cmd[2] = "dir " + args[0];
Process proc = runtime.exec(cmd);

InputStream is = proc.getInputStream();
InputStreamReader isr = new InputStreamReader(is);
BufferedReader br = new BufferedReader(isr);

String line;
while ((line = br.readLine()) != null) {
System.out.println(line);
}
}
}
</pre>

==Best Practices ==

Developers should avoid invoking the shell using Runtime.exec in order to call operating system specific commands and should use Java APIs instead. For example, instead of calling ''ls'' or ''dir'' from the shell use the Java File class and the list function. If it is necessary to accept user input and pass it to Runtime.exec, then use regular expressions to validate the input.

#'''Traduccion en Español: ''' [[Inyección de Comandos en Java]]

[[Category:OWASP Java Project]]

Command injection in Java

2012-12-04T14:19:30Z

José Luis Escobar:

Command Injection

2012-12-04T14:19:14Z

José Luis Escobar:

{{Template:Attack}}
<br>
[[Category:OWASP ASDR Project]]

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==
The purpose of the command injection attack is to inject and execute commands specified by the attacker in the vulnerable application. In situation like this, the application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it as any authorized system user. However, commands are executed with the same privileges and environment as the application has. Command injection attacks are possible in most cases because of lack of correct input data validation, which can be manipulated by the attacker (forms, cookies, HTTP headers etc.).

There is a variant of the [[Code Injection]] attack. The difference with code injection is that the attacker adds his own code to the existing code. In this way, the attacker extends the default functionality of the application without the necessity of executing system commands. Injected code is executed with the same privileges and environment as the application has.

An OS command injection attack occurs when an attacker attempts to execute system level commands through a vulnerable application. Applications are considered vulnerable to the OS command injection attack if they utilize user input in a system level command.


==Examples ==

===Example 1===

The following code is a wrapper around the UNIX command ''cat'' which prints the contents of a file to standard output. It is also injectable:

<pre>

#include <stdio.h>
#include <unistd.h>

int main(int argc, char **argv) {
char cat[] = "cat ";
char *command;
size_t commandLength;

commandLength = strlen(cat) + strlen(argv[1]) + 1;
command = (char *) malloc(commandLength);
strncpy(command, cat, commandLength);
strncat(command, argv[1], (commandLength - strlen(cat)) );

system(command);
return (0);
}

</pre>

Used normally, the output is simply the contents of the file requested:

<pre>

$ ./catWrapper Story.txt
When last we left our heroes...

</pre>
However, if we add a semicolon and another command to the end of this line, the command is executed by catWrapper with no complaint:

<pre>
$ ./catWrapper "Story.txt; ls"
When last we left our heroes...
Story.txt doubFree.c nullpointer.c
unstosig.c www* a.out*
format.c strlen.c useFree*
catWrapper* misnull.c strlength.c useFree.c
commandinjection.c nodefault.c trunc.c writeWhatWhere.c
</pre>

If catWrapper had been set to have a higher privilege level than the standard user, arbitrary commands could be executed with that higher privilege.

===Example 2===

The following simple program accepts a filename as a command line argument, and displays the contents of the file back to the user. The program is installed setuid root because it is intended for use as a learning tool to allow system administrators in-training to inspect privileged system files without giving them the ability to modify them or damage the system.

<pre>
int main(char* argc, char** argv) {
char cmd[CMD_MAX] = "/usr/bin/cat ";
strcat(cmd, argv[1]);
system(cmd);
}

</pre>

Because the program runs with root privileges, the call to system() also executes with root privileges. If a user specifies a standard filename, the call works as expected. However, if an attacker passes a string of the form ";rm -rf /", then the call to system() fails to execute cat due to a lack of arguments and then plows on to recursively delete the contents of the root partition.

===Example 3===

The following code from a privileged program uses the environment variable $APPHOME to determine the application's installation directory, and then executes an initialization script in that directory.

<pre>
...
char* home=getenv("APPHOME");
char* cmd=(char*)malloc(strlen(home)+strlen(INITCMD));
if (cmd) {
strcpy(cmd,home);
strcat(cmd,INITCMD);
execl(cmd, NULL);
}
...

</pre>

As in Example 2, the code in this example allows an attacker to execute arbitrary commands with the elevated privilege of the application. In this example, the attacker can modify the environment variable $APPHOME to specify a different path containing a malicious version of INITCMD. Because the program does not validate the value read from the environment, by controlling the environment variable, the attacker can fool the application into running malicious code.

The attacker is using the environment variable to control the command that the program invokes, so the effect of the environment is explicit in this example. We will now turn our attention to what can happen when the attacker changes the way the command is interpreted.

===Example 4===

The code below is from a web-based CGI utility that allows users to change their passwords. The password update process under NIS includes running ''make'' in the /var/yp directory. Note that since the program updates password records, it has been installed setuid root.

The program invokes make as follows:
<pre>
system("cd /var/yp && make &> /dev/null");
</pre>

Unlike the previous examples, the command in this example is hardcoded, so an attacker cannot control the argument passed to system(). However, since the program does not specify an absolute path for make, and does not scrub any environment variables prior to invoking the command, the attacker can modify their $PATH variable to point to a malicious binary named make and execute the CGI script from a shell prompt. And since the program has been installed setuid root, the attacker's version of make now runs with root privileges.

The environment plays a powerful role in the execution of system commands within programs. Functions like system() and exec() use the environment of the program that calls them, and therefore attackers have a potential opportunity to influence the behavior of these calls.

There are many sites that will tell you that Java's Runtime.exec is exactly the same as C's system function. This is not true. Both allow you to invoke a new program/process. However, C's system function passes its arguments to the shell (/bin/sh) to be parsed, whereas Runtime.exec tries to split the string into an array of words, then executes the first word in the array with the rest of the words as parameters. Runtime.exec does NOT try to invoke the shell at any point. The key difference is that much of the functionality provided by the shell that could be used for mischief (chaining commands using "&", "&&", "|", "||", etc, redirecting input and output) would simply end up as a parameter being passed to the first command, and likely causing a syntax error, or being thrown out as an invalid parameter.

===Example 5===
The following trivial code snippets are vulnerable to OS command injection on the Unix/Linux platform:

:* C:

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
char command[256];

if(argc != 2) {
printf("Error: Please enter a program to time!\n");
return -1;
}

memset(&command, 0, sizeof(command));

strcat(command, "time ./");
strcat(command, argv[1]);

system(command);
return 0;
}

:* If this were a suid binary, consider the case when an attacker enters the following: 'ls; cat /etc/shadow'. In the Unix environment, shell commands are separated by a semi-colon. We now can execute system commands at will!

:* Java:

'''There are many sites that will tell you that Java's Runtime.exec is exactly the same as C's system function. This is not true. Both allow you to invoke a new program/process. However, C's system function passes its arguments to the shell (/bin/sh) to be parsed, whereas Runtime.exec tries to split the string into an array of words, then executes the first word in the array with the rest of the words as parameters. Runtime.exec does NOT try to invoke the shell at any point. The key difference is that much of the functionality provided by the shell that could be used for mischief (chaining commands using "&", "&&", "|", "||", etc, redirecting input and output) would simply end up as a parameter being passed to the first command, and likely causing a syntax error, or being thrown out as an invalid parameter.'''


==Related [[Attacks]]==
* [[Code Injection]]
* [[Blind SQL Injection]]
* [[Blind XPath Injection]]
* [[LDAP injection]]
* [[Relative Path Traversal]]
* [[Absolute Path Traversal]]


==Related [[Controls]]==
* [[:Category:Input Validation]]

Ideally, a developer should use existing API for their language. For example (Java): Rather than use Runtime.exec() to issue a 'mail' command, use the available Java API located at javax.mail.*

If no such available API exists, the developer should scrub all input for malicious characters. Implementing a positive security model would be most efficient. Typically, it is much easier to define the legal characters than the illegal characters.

==References==
* [http://cwe.mitre.org/data/definitions/77.html CWE-77: Command Injection]
* [http://cwe.mitre.org/data/definitions/78.html CWE-78: OS Command Injection]
* http://blog.php-security.org/archives/76-Holes-in-most-preg_match-filters.html

[[Category:Injection Attack]]
[[Category:Injection]]
[[Category:Attack]]
[[Category:Externally Linked Page]]

Command Injection

2012-12-04T14:16:55Z

José Luis Escobar: