|
|
(7 intermediate revisions by 5 users not shown) |
Line 1: |
Line 1: |
− | {{Template:Attack}}
| + | #REDIRECT [[Command Injection]] |
− | | |
− | ==Description==
| |
− | | |
− | An OS command injection attack occurs when an attacker attempts to execute system level commands through a vulnerable application. Applications are considered vulnerable to the OS command injection attack if they utilize user input in a system level command.
| |
− | | |
− | ==Examples ==
| |
− | | |
− | The following trivial code snippets are vulnerable to OS command injection on the Unix/Linux platform:
| |
− | | |
− | :* C:
| |
− | | |
− | #include <stdlib.h>
| |
− | #include <stdio.h>
| |
− | #include <string.h>
| |
− |
| |
− | int main(int argc, char **argv)
| |
− | {
| |
− | char command[256];
| |
− |
| |
− | if(argc != 2) {
| |
− | printf("Error: Please enter a program to time!\n");
| |
− | return -1;
| |
− | }
| |
− |
| |
− | memset(&command, 0, sizeof(command));
| |
− |
| |
− | strcat(command, "time ./");
| |
− | strcat(command, argv[1]);
| |
− |
| |
− | system(command);
| |
− | return 0;
| |
− | }
| |
− | | |
− | :* If this were a suid binary, consider the case when an attacker enters the following: 'ls; cat /etc/shadow'. In the Unix environment, shell commands are separated by a semi-colon. We now can execute system commands at will!
| |
− | | |
− | :* Java:
| |
− | | |
− | import java.util.*;
| |
− | import java.io.*;
| |
− |
| |
− | public class Exec
| |
− | {
| |
− | public static void main(String args[])
| |
− | {
| |
− | try
| |
− | {
| |
− | Runtime rt = Runtime.getRuntime();
| |
− | Process proc = rt.exec("time ./" + args[0]);
| |
− | }
| |
− | catch(Exception e)
| |
− | {
| |
− | e.printStackTrace();
| |
− | }
| |
− | }
| |
− | }
| |
− | | |
− | :* The same situation applies to the Java program as it did to the C program. An attacker has the ability to execute arbitrary system level commands through your application.
| |
− | | |
− | ==Related Threats==
| |
− | | |
− | ==Related Attacks==
| |
− | | |
− | ==Related Vulnerabilities==
| |
− | | |
− | ==Related Countermeasures==
| |
− | | |
− | Ideally, a developer should use existing API for their language. For example (Java): Rather than use Runtime.exec() to issue a 'mail' command, use the available Java API located at javax.mail.*
| |
− | | |
− | If no such available API exists, the developer should scrub all input for malicious characters. Implementing a positive security model would be most efficient. Typically, it is much easier to define the legal characters than the illegal characters.
| |
− | | |
− | ==Categories==
| |
− | | |
− | {{Template:Stub}}
| |
− | | |
− | [[Category:Injection Attack]] | |