The Web Application Security Consortium / OS Commanding
View
 

OS Commanding

Page history last edited by Robert Auger 14 years, 11 months ago

Project: WASC Threat Classification

Threat Type: Attack

Reference ID: WASC-31

 

OS Commanding

OS Commanding is an attack technique used for unauthorized execution of operating system commands.

OS Commanding is the direct result of mixing trusted code and untrusted data. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. In OS Commanding, executed commands by an attacker will run with the same privileges of the component that executed the command, (e.g. database server, web application server, web server, wrapper, application). Since the commands are executed under the privileges of the executing component an attacker can leverage this to gain access or damage parts that are otherwise unreachable (e.g. the operating system directories and files).

 

Perl Example

open function is part of the API Perl provides for file handling. Improper use of this function may result in OS Commanding since Perl allows piping data from a process into an open statement, by appending a '|' (Pipe) character onto the end of a filename.

 

# The code below executes "/bin/ls" and pipe the output to the open statement
open FILE, "/bin/ls|" or die $!;

 

Web applications often include parameters that specify a file that is displayed or used as a template. Without proper input validation, an attacker may change the parameter value to include a shell command followed by the pipe symbol, shown above.

If the original URL of the web application is:

http://example/cgi-bin/showInfo.pl?name=John&template=tmp1.txt

 

Changing the template parameter value, the attacker can trick the web application into executing the command /bin/ls:

http://example /cgi-bin/showInfo.pl?name=John&template=/bin/ls|

 

Java Example

Java provides Runtime class allowing the application to interface with the environment in which the application is running. From the Java 2 documentation;

"Every Java application has a single instance of class Runtime that allows the application to interface with the environment in which the application is running. The current runtime can be obtained from the getRuntime method... "

 public string cmdExecution(String id){ 
   try {
     Runtime rt = Runtime.getRuntime();
     rt.exec("LicenseChecker.exe" + " -ID " + id);
   }
   catch(Exception e){
     //...
   }
 }

The snippet above assumes that id is passed to the Runtime.exec method without any validation, therefore, it yields to OS Commanding. For example, if an attacker provides the value 3c8f2a -bypass for an id, the attacker may trigger the license validation operation to be bypassed. Depending on what the external program is, it may also be possible to execute multiple commands through this attack technique.

Here's another version of the code piece above;

 

 public string cmdExecution(String id){ 
   try {
     Runtime rt = Runtime.getRuntime();
     rt.exec("cmd.exe /C LicenseChecker.exe" + " -ID " + id);
   }
   catch(Exception e){
     //...
   }
 }

 

Since the first item to be called, cmd.exe, is an application which parses the arguments, interprets them and further call other external applications, it's possible for an attacker to call external programs. cmd.exe interprets & character (; in Unix-like systems) as the boundary to execute multiple commands. So, if an attacker provides the value 3c8f2a & ping -t www.target.site for an id, he may also run a ping on www.target.site on the target machine with the privileges of the user running the vulnerable application.

 

C# Example

.NET provides "access to local and remote processes and enables you to start and stop local system processes" through System.Diagnostics.Process class. From the MSDN documentation;

"... A Process component provides access to a process that is running on a computer. A process, in the simplest terms, is a running application. A thread is the basic unit to which the operating system allocates processor time. A thread can execute any part of the code of the process, including parts currently being executed by another thread ...."

 

 public void cmdExecution(String id){
   ProcessStartInfo psi = new ProcessStartInfo("LicenseChecker.exe"); 
   psi.UseShellExecute = true;
   psi.Arguments = id;
   Process.Start(psi); 
 }

 

If an attacker provides the value 3c8f2a -bypass for an id, the attacker may trigger the license validation operation to be bypassed. The reasoning in Java applies here, too. It may be possible to execute multiple commands if the program to be called, like cmd.exe, interprets the arguments. There're also other ways of running applications in .NET, one of which is;

 Process.Start("LicenseChecker.exe ", id);

 

PHP Example

PHP provides a good list of functions, one of which is passthru, in order to execute external programs.

 <?php
   if(isset($_GET['cmd'])){
     $cmd = 'LicenseChecker.exe ' . $_GET['cmd'];
     passthru ($cmd);
   }
 ?>

 

PHP functions passthru, exec runs through shell so, with no proper validation nor escaping, it is possible to execute multiple OS commands.

 

References

"open function Perl Documentation"

[1] http://perldoc.perl.org/functions/open.html

 

"Runtime Class Java 2 Documentation"

[2] http://java.sun.com/j2se/1.5.0/docs/api/java/lang/Runtime.html

 

"Process Class MSDN Documentation"

[3] http://msdn.microsoft.com/en-us/library/system.diagnostics.process.aspx

 

"Perl CGI Problems", By RFP - Phrack Magazine, Issue 55

[4] http://www.wiretrip.net/rfp/txt/phrack55.txt (See "That pesky pipe" section)

 

"Marcus Xenakis directory.php Shell Command Execution Vulnerability"

[5] http://www.securityfocus.com/bid/4278

 

"NCSA Secure Programming Guidelines"

[6] http://thinkunix.net/unix/security/secure-programming.html

 

"passthru function PHP Manual"

[7] http://php.net/passthru

 

"CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')"

[8] http://cwe.mitre.org/data/definitions/78.html

 

"CAPEC: OS Command Injection"

[9] http://capec.mitre.org/data/definitions/88.html

 

"OWASP: Command Injection"

[10] http://www.owasp.org/index.php/Command_injection

 

"List of Web Hacking Incidents: OS Commanding"

[11] http://whid.webappsec.org/whid-list/OS+Commanding

Comments (0)

You don't have permission to comment on this page.