This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OS Command Injection"
Weilin Zhong (talk | contribs) |
|||
Line 2: | Line 2: | ||
==Description== | ==Description== | ||
+ | |||
+ | An OS command injection attack occurs when an attacker attempts to execute system level commands through a vulnerable application. Applications are considered vulnerable to the OS command injection attack if they utilize user input in a system level command. | ||
==Examples == | ==Examples == | ||
+ | |||
+ | The following trivial code snippets are vulnerable to OS command injection on the Unix/Linux platform: | ||
+ | |||
+ | :* C: | ||
+ | |||
+ | #include <stdlib.h> | ||
+ | #include <stdio.h> | ||
+ | #include <string.h> | ||
+ | |||
+ | int main(int argc, char **argv) | ||
+ | { | ||
+ | char command[256]; | ||
+ | |||
+ | if(argc != 2) { | ||
+ | printf("Error: Please enter a program to time!\n"); | ||
+ | return -1; | ||
+ | } | ||
+ | |||
+ | memset(&command, 0, sizeof(command)); | ||
+ | |||
+ | strcat(command, "time ./"); | ||
+ | strcat(command, argv[1]); | ||
+ | |||
+ | system(command); | ||
+ | return 0; | ||
+ | } | ||
+ | |||
+ | :* If this were a suid binary, consider the case when an attacker enters the following: 'ls; cat /etc/shadow'. In the Unix environment, shell commands are separated by a semi-colon. We now can execute system commands at will! | ||
+ | |||
+ | :* Java: | ||
+ | |||
+ | import java.util.*; | ||
+ | import java.io.*; | ||
+ | |||
+ | public class Exec | ||
+ | { | ||
+ | public static void main(String args[]) | ||
+ | { | ||
+ | try | ||
+ | { | ||
+ | Runtime rt = Runtime.getRuntime(); | ||
+ | Process proc = rt.exec("time ./" + args[0]); | ||
+ | } | ||
+ | catch(Exception e) | ||
+ | { | ||
+ | e.printStackTrace(); | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | |||
+ | :* The same situation applies to the Java program as it did to the C program. An attacker has the ability to execute arbitrary system level commands through your application. | ||
==Related Threats== | ==Related Threats== | ||
Line 12: | Line 65: | ||
==Related Countermeasures== | ==Related Countermeasures== | ||
+ | |||
+ | Ideally, a developer should use existing API for their language. For example (Java): Rather than use Runtime.exec() to issue a 'mail' command, use the available Java API located at javax.mail.* | ||
+ | |||
+ | If no such available API exists, the developer should scrub all input for malicious characters. Implementing a positive security model would be most efficient. Typically, it is much easier to define the legal characters than the illegal characters. | ||
==Categories== | ==Categories== |
Revision as of 15:29, 30 June 2006
- This is an Attack. To view all attacks, please see the Attack Category page.
Description
An OS command injection attack occurs when an attacker attempts to execute system level commands through a vulnerable application. Applications are considered vulnerable to the OS command injection attack if they utilize user input in a system level command.
Examples
The following trivial code snippets are vulnerable to OS command injection on the Unix/Linux platform:
- C:
#include <stdlib.h> #include <stdio.h> #include <string.h> int main(int argc, char **argv) { char command[256]; if(argc != 2) { printf("Error: Please enter a program to time!\n"); return -1; } memset(&command, 0, sizeof(command)); strcat(command, "time ./"); strcat(command, argv[1]); system(command); return 0; }
- If this were a suid binary, consider the case when an attacker enters the following: 'ls; cat /etc/shadow'. In the Unix environment, shell commands are separated by a semi-colon. We now can execute system commands at will!
- Java:
import java.util.*; import java.io.*; public class Exec { public static void main(String args[]) { try { Runtime rt = Runtime.getRuntime(); Process proc = rt.exec("time ./" + args[0]); } catch(Exception e) { e.printStackTrace(); } } }
- The same situation applies to the Java program as it did to the C program. An attacker has the ability to execute arbitrary system level commands through your application.
Related Threats
Related Attacks
Related Vulnerabilities
Related Countermeasures
Ideally, a developer should use existing API for their language. For example (Java): Rather than use Runtime.exec() to issue a 'mail' command, use the available Java API located at javax.mail.*
If no such available API exists, the developer should scrub all input for malicious characters. Implementing a positive security model would be most efficient. Typically, it is much easier to define the legal characters than the illegal characters.
Categories
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.