What is OS command injection?OS command injection is a vulnerability that lets a malicious hacker trick an application into executing operating system (OS) commands. OS command injection is also known as command injection or shell injection. Show
How does OS command injection work?Most programming languages include functions that let the developer call operating system commands. The reasons for calling operating system commands are varied, for example, to include functionality that is not available in that programming language by default, to call scripts written in other languages, and more. OS command injection vulnerabilities are a result of using such operating system call functions with insufficient input validation. A lack of validation enables the attacker to inject malicious commands into user input and then execute them on the host operating system. Command injection vulnerabilities are an appsec problem that may appear in any type of computer software, in almost every programming language, and on any platform. For example, you can get command injection vulnerabilities in embedded software in routers, web applications and APIs written in PHP, server-side scripts written in Python, mobile applications written in Java, and even in core operating system software. The term OS command injection is defined in CWE-78 as improper neutralization of special elements used in an OS command. OWASP prefers the simpler term command injection. The term shell injection is used very rarely. Some OS command injection vulnerabilities are classified as blind or out-of-band. This means that the OS command injection attack does not result in anything being sent back or displayed immediately, and the result of the attack is, for example, sent to a server controlled by the attacker. Note that OS command injection is often confused with remote code execution (RCE), also known as code injection. In the case of RCE, the attacker executes malicious code in the language of the application and within the application context. In the case of OS command injection, the attacker executes a malicious command in a system shell. However, some sources consider OS command injection to be a type of code injection. Example of a command injection attackBelow is a simple example of PHP source code with an OS command injection vulnerability and a command injection attack vector on applications that include this code. Vulnerable codeThe developer of a PHP application wants the user to be able to see the output of the Windows ping command in the web application. The user needs to input the IP address and the application sends ICMP pings to that address. The developer passes the IP address using an HTTP GET parameter and then uses it in the command line. Unfortunately, the developer trusts the user too much and does not perform input validation.
The attack vectorThe attacker abuses this script by manipulating the GET request with the following payload:
The shell_exec function executes the following OS command:
Potential consequences of an OS command injection attackIn the case of OS command injection vulnerabilities, the attacker is able to execute operating system commands with the privileges of the vulnerable application. This lets the attacker, for example, install a reverse shell and obtain cmd access with such privileges. They may then be able to escalate the attack by using other exploits, which may ultimately lead to obtaining root access and, as a result, complete control of the web server operating system. If successful, the attacker may follow up with one of the following common types of attacks:
Examples of known OS command injection vulnerabilities
How to detect OS command injection vulnerabilities?The best way to detect OS command injection vulnerabilities depends on whether they are already known or unknown.
How to prevent OS command injection vulnerabilities in web applications?There are several methods to improve application security by preventing OS command injection attacks. The simplest and safest one is never to use calls such as shell_exec in PHP to execute host operating system commands. Instead, you should use the equivalent commands from the programming language. For example, if a developer wants to send mail using PHP on Linux/UNIX, they may be tempted to use the mail command available in the operating system. Instead, they should use the mail() function in PHP. The web server administrator may enforce this by disabling potentially dangerous functions, such as the ones causing operating system calls. For example, in the case of PHP, you can configure the php.ini file to block dangerous commands by adding the following line:
Using input sanitization to prevent command injectionThe above approach may be difficult if there is no equivalent command in the programming language. For example, there is no direct way to send ICMP ping packets from PHP. In such cases, you need to apply input sanitization before you pass the value to a shell command and the safest way is to use a whitelist. For example, in the vulnerable code presented above, you could check if the address variable is an IP address. The result would be the following corrected code:
When sanitizing, remember that dangerous user input can come from lots of places, not only from GET and POST parameters. It can also appear in HTTP headers, JSON or XML data, and any other part of an HTTP request. Using character escaping to prevent command injectionIn some languages, you can use character escaping to prevent command injection attacks. This means that before you send user input to the OS command, the built-in programming language function makes sure that all potentially dangerous characters are escaped. For example, in PHP, you could use escapeshellarg and escapeshellcmd functions. The result would be the following safe code:
Using blacklists to prevent command injectionWe do not recommend using blacklists because attackers have many ways of bypassing them. However, if you do decide to use a blacklist, you must be aware that the attacker can use a variety of special characters to inject an arbitrary command. The simplest and most common ones are the semicolon (;) for Linux and the ampersand (&) for Windows. However, the following payloads for the vulnerable code presented above will all work and display the result of the whoami command:
Therefore, if you absolutely need to use blacklisting, you must filter or escape the following special characters:
How to mitigate OS command injection attacks?Methods to mitigate OS command injection attacks will differ depending on the type of software:
In the case of zero-day OS command injections in third-party software, you can apply temporary WAF (web application firewall) rules for mitigation. However, this only makes the OS command injection harder to exploit and does not eliminate the problem. Frequently asked questionsWhat is OS command injection?OS command injection is a vulnerability that lets a malicious hacker trick an application into executing operating system commands. OS command injection is also known as command injection or shell injection. Read an article that explains command injection in detail. How to detect command injection?Dynamic application security testing (DAST) tools are the best way to detect command injection vulnerabilities in web applications. They provide the best coverage and some of them, like Invicti, are able to prove that the vulnerability is real and not a false positive. Find out more about dynamic application security testing (DAST). How to prevent OS command injection?The best way to prevent OS command injection is to follow secure coding practices. One of them is to use filtering for all user input and apply context-sensitive output encoding to input data controlled by the user. Read more about fostering secure coding practices.
Related blog posts
Written by: Tomasz Andrzej Nidecki, reviewed by: Sven Morgenroth What is a command injection?Command injection is a cyber attack that involves executing arbitrary commands on a host operating system (OS). Typically, the threat actor injects the commands by exploiting an application vulnerability, such as insufficient input validation.
Which operating system is immune from OS command injection attacks?No one operating system is immune to it. It can really happen on any operating system, Linux, Windows, Mac, because the vulnerability is really not in the operating system per se, it's the vulnerable application that makes it happen.
How does code injection work?Code injection is a type of attack that allows an attacker to inject malicious code into an application through a user input field, which is then executed on the fly.
What is a command injection vulnerability?OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data.
|