|
|
| (7 intermediate revisions by 5 users not shown) |
| Line 1: |
Line 1: |
| − | {{Template:Attack}}
| + | #REDIRECT [[Command Injection]] |
| − | | |
| − | ==Description==
| |
| − | | |
| − | An OS command injection attack occurs when an attacker attempts to execute system level commands through a vulnerable application. Applications are considered vulnerable to the OS command injection attack if they utilize user input in a system level command.
| |
| − | | |
| − | ==Examples ==
| |
| − | | |
| − | The following trivial code snippets are vulnerable to OS command injection on the Unix/Linux platform:
| |
| − | | |
| − | :* C:
| |
| − | | |
| − | #include <stdlib.h>
| |
| − | #include <stdio.h>
| |
| − | #include <string.h>
| |
| − |
| |
| − | int main(int argc, char **argv)
| |
| − | {
| |
| − | char command[256];
| |
| − |
| |
| − | if(argc != 2) {
| |
| − | printf("Error: Please enter a program to time!\n");
| |
| − | return -1;
| |
| − | }
| |
| − |
| |
| − | memset(&command, 0, sizeof(command));
| |
| − |
| |
| − | strcat(command, "time ./");
| |
| − | strcat(command, argv[1]);
| |
| − |
| |
| − | system(command);
| |
| − | return 0;
| |
| − | }
| |
| − | | |
| − | :* If this were a suid binary, consider the case when an attacker enters the following: 'ls; cat /etc/shadow'. In the Unix environment, shell commands are separated by a semi-colon. We now can execute system commands at will!
| |
| − | | |
| − | :* Java:
| |
| − | | |
| − | import java.util.*;
| |
| − | import java.io.*;
| |
| − |
| |
| − | public class Exec
| |
| − | {
| |
| − | public static void main(String args[])
| |
| − | {
| |
| − | try
| |
| − | {
| |
| − | Runtime rt = Runtime.getRuntime();
| |
| − | Process proc = rt.exec("time ./" + args[0]);
| |
| − | }
| |
| − | catch(Exception e)
| |
| − | {
| |
| − | e.printStackTrace();
| |
| − | }
| |
| − | }
| |
| − | }
| |
| − | | |
| − | :* The same situation applies to the Java program as it did to the C program. An attacker has the ability to execute arbitrary system level commands through your application.
| |
| − | | |
| − | ==Related Threats==
| |
| − | | |
| − | ==Related Attacks==
| |
| − | | |
| − | ==Related Vulnerabilities==
| |
| − | | |
| − | ==Related Countermeasures==
| |
| − | | |
| − | Ideally, a developer should use existing API for their language. For example (Java): Rather than use Runtime.exec() to issue a 'mail' command, use the available Java API located at javax.mail.*
| |
| − | | |
| − | If no such available API exists, the developer should scrub all input for malicious characters. Implementing a positive security model would be most efficient. Typically, it is much easier to define the legal characters than the illegal characters.
| |
| − | | |
| − | ==Categories==
| |
| − | | |
| − | {{Template:Stub}}
| |
| − | | |
| − | [[Category:Injection Attack]] | |
