CWE-78
Weakness ID:78(Weakness Base)
Status: Draft
OSR}hCWFNV
v
ʃR|[lgɂỎe͂gpOS R}h̑SA͈ꕔ\z\tgEFAɂāAӐ} OS R}h̉\ȗvfKɖɉʃR|[lgɑMۂɔƎ㐫łB
ڍׂȉ
{Ǝ㐫́AWeb AvP[V̗lȁAU҂OSɒڃANZXȂŔAU҂ɂ蒼OS ɑė\Ȃ댯ȃR}hs\܂B{Ǝ㐫vOŔꍇAU҂ʏ̓ANZXłȂR}hw肷A܂͍U҂Ȃʂ̃R}hĂяo\܂B̃R}h́AQ̐[VXeŎs邽߁AUvZXŏ̌炵ȂꍇA{Ǝ㐫͍Xɐ[Ȃ̂ƂȂ܂B
OS R}hCWFNVɂ͏ȂƂނ݂܂B
1) AvP[V̎ȐvOsAƂĊO͂gpꍇBႦAvO̓VXe ("nslookup [HOSTNAME]") gp nslookup sAƂĎgpHOSTNAME ɑă[U̓͂Ă܂BU҂ nslookup ̎sWQ邱Ƃ͂ł܂AvOR}hZp[^ HOSTNAME 폜ȂꍇA HOSTNAME ɔCӂ̃vOsZp[^͂Anslookup ̏IɎs邱Ƃ\łB
2) O͂ɂsvOR}hIAOS ɑSR}h_CNgAvP[V̏ꍇB
ႦA[U͂ꂽ [COMMAND] "exec ([COMMAND])" pĎsvOɂāACOMMAND U҂̐䉺ɂꍇAU҂͔Cӂ̃R}hvOs邱Ƃ\łBR}h exec() CreateProcess() ̂悤ȊŎsĂꍇɂ́Asɕ̃R}hLqłȂ\܂B
Lނ OS R}hCWFNVɂ́AƎ㐫̊ϓ_ɂĖmȃvÕG[݂܂B
ޖڂɂāAsR}ḧƂĐMłȂO҂̓͂Ă܂B
ޖڂɂāAMłȂO҂̃R}hւ̃ANZX͋ۂĂ܂A炭AU҂͂ł֕@Ă܂B
ʖ
VFCWFNV
VF^LN^
_Iȕ⑫
uOS R}hCWFNVvƂp̎wӖ͈̔͂́AlɂقȂ܂B
́AU҂Cӂ OS R}hs\łSĂ̍UwꍇB̏ꍇł́AU҂̐䉺ɂvOAsAvP[VɂN untrusted path weaknesses(CWE-426) ܂݂܂B
́AAvP[V䂷vOɂāAɍU҂R}hZp[^}p^[݂̂wꍇB
Aargument injection (CWE-88) ɂāAR}hƂĎs u-execv XCb`iUNIX ́ufindv R}hȂǁĵ悤ȃR}hCXCb`AR}hCɑ}IvVւꍇȂǂ邽߁AOS R}hCWFNV̒`͕GȖƂȂĂ܂B
ڂɋ`̏ꍇɂ́A CWE-88 CWE-78 ̌ƂȂƎ㐫iprimary weaknessjłƌȂĂ܂B
Ǝ㐫̔
A[LeN`yѐv
YvbgtH[
S
ʓIȉe
| e͈ | e |
|---|---|
| @ S p ۔Fh~ |
ZpICpNgFĂȂR[hR}h̎sADoSAcrash / exit / restartAt@CfBNg̓ǂݍ݁AAAvP[Vf[^̓ǂݍ݁A U҂͎gp̂ȂR}hɂ\tgEFAAANZX̂Ȃf[^ǂݍ݁A\܂BUΏۂ̃AvP[V͍U҂ɑR}hs邽߁ASĂ̈ӂs̓AvP[VAAvP[V̏L҂̂̂łƌȂ\܂B |
U\
oi
ÓI
{Ǝ㐫͎ÓI͂ɂČo\łBŋ߂̃c[̑́AtH[X|WeBuŏ邽߂ɁAf[^t[͂x[X̋ZpgpĂ܂B
ÓI͂́A͂̑Ó`FbNKɍsĂꍇAႦAZLeBêȂxAR[h̕ύXvxƂtH[X|WeBuʂłȂꍇ܂B
ÓI͂́A OS R}hĂяo悤ȃJX^ API t@NVAT[hp[eB̃Cu̎gpołȂꍇA API CũR[h͂ɎgpłȂꍇɂāAtH[XlKeBuN\܂B
̎iɂ100̐xJo[͕s\Ȃ߁Aȉł͂܂B
I
{Ǝ㐫́At@YeXg(t@WO)AoXglXeXg(挒̃eXg)AtH[gCWFNV(G[킴ƋNeXg)A푽lȓ͂cȃeXgP[Xgpă\tgEFA͂AIȃc[ZppČo邱Ƃ\łB
\tgEFȀx͒ቺ܂AsɂȂANbVAsmȌʂoƂƂ͂܂B
LF
蓮ÓI
{Ǝ㐫͒ʏÃ\tgEFApbP[Wł͍pxł͔Ȃ߁AԓI̒ŁAƎȉ\鏈̑SĂ]邱Ƃ\ȏꍇA蓮ɂzCg{bNX@͏\ȃR[h͈̔͂ԗAtH[X|WeBu邱Ƃ\łB
LF
ƎȃR[h
1:
ȉ̗́A[U͂hCɑ DNS lookup ̖S Web AvP[VłBOS R}hCWFNV̈ڂ̎ނɕނ܂B
TvFPerl ij
use CGI qw(:standard);
$name = param('name');
$nslookup = "/path/to/nslookup";
print header;
if (open($fh, "$nslookup $name|")) {
while (<$fh>) {
print escapeHTML($_);
print "<br>¥n";
}
close($fh);
}
U҂ȉ̂悤ȃhC͂Ƒz肵܂B
iUj
cwe.mitre.org%20%3B%20/bin/ls%20-l
fR[hƁA"%3B" ";" ɁA"%20h ̓Xy[XƂȂAOpen() ͈ȉ̗lɕ邱ƂɂȂ܂B
/path/to/nslookup cwe.mitre.org ; /bin/ls -l
ʁAU҂ "/bin/ls -l" ƂR}hsAvÕ[LOfBNgɂSt@C̃Xg肵܂B̓͂́AӂvOT[oɃCXg[ȂǁAɊ댯ȃR}hɒu\܂B
2:
ȉ̗́AVXevpeBsVFXNvg̖Oǂݍ݂܂B OS R}hCWFNV̓ڂ̎ނɕނ܂B
TvFJava ij
String script = System.getProperty("SCRIPTNAME");
if (script != null)
System.exec(script);
U҂̃vpeB𐧌łꍇA댯ȃvOw悤ɃvpeB\܂B
ꂽ
| Q | ڍ |
|---|---|
| CVE-1999-0067 | Canonical example. CGI program does not neutralize "|" metacharacter when invoking a phonebook program. |
| CVE-2001-1246 | Language interpreter's mail function accepts another argument that is concatenated to a string used in a dangerous popen() call. Since there is no neutralization of this argument, both OS Command Injection (CWE-78) and Argument Injection (CWE-88) are possible. |
| CVE-2002-0061 | Web server allows command execution using "|" (pipe) character. |
| CVE-2003-0041 | FTP client does not filter "|" from filenames returned by the server, allowing for OS command injection. |
| CVE-2008-2575 | Shell metacharacters in a filename in a ZIP archive |
| CVE-2002-1898 | Shell metacharacters in a telnet:// link are not properly handled when the launching application processes the link. |
| CVE-2008-4304 | OS command injection through environment variable. |
| CVE-2008-4796 | OS command injection through https:// URLs |
| CVE-2007-3572 | Chain: incomplete blacklist for OS command injection |
Q̊ɘa
tF[YFA[LeN`ѐv
]܂@\č쐬ۂɂ́A\ȌOł͂ȂCuR[gpĉB
tF[YFA[LeN`ѐvAIy[V
헪F Th{bNXAJail
vZXƃIy[eBOVXe̊ԂŌdȋE "jail" AގTh{bNX̒ŃR[hsĂBɂAX̃fBNgɂĂǂ̃t@CɑANZX\A邢́Ã\tgEFAɂĂǂ̃R}hs\ʓIɐł܂B
OSx̗ƂāAUnix chroot jailAAppArmor y SELinux ܂BʓIɁA}l[WhR[h̖͂h@\܂BႦAJava SecurityManager ̎ java.io.FilePermission ́At@Cɂ鐧w肷邱Ƃ\łB
́A\ȉł͂Ȃ\܂B܂AIy[eBOVXeւ̔Q肷邾łAc̃AvP[V͐NQ̑Ώۂ̂܂܂łB
CWE-243 yт̑ jail Ɋ֘AƎ㐫̉ɂ͒ӂĂB
tF[YFA[LeN`ѐv
헪FUʂ̓Ək
sR}h̐Ɏgpf[^́AőAO̐rĉBWeb AvP[V̏ꍇɂ́A ZbVԂ hidden form tB[hŃNCAgɑMɁAf[^[Jɕۑ邱Ƃv܂B
tF[YFA[LeN`ѐv
CWE-602 h߂ɁANCAgōsSẴZLeB`FbNɂāÃ`FbNT[ołlɍsĂ邱ƂmFĂBU҂̓`FbNsꂽƂɒlA邢̓`FbNSɏ邱ƂŁANCAg̃`FbN邱Ƃ\łB̏ꍇAꂽlT[oɑM܂B
tF[YFA[LeN`ѐv
헪F CuAt[[N
{Ǝ㐫̔hA邢͖{Ǝ㐫₷\A\ɌꂽCut[[NgpĂB
ƂāAESAPI Encoding control ގc[ACuAt[[N܂Bgp邱ƂɂāAG[ɂȂɂ@ŏo͂GR[h邱Ƃ\łB
tF[YF
헪Fo̓GR[fBO
XNeAIɐNGR}hgpKvꍇɂ́AKɈNH[gAɊ܂܂ꕶGXP[vĉBłTdȎ@ƂāAɌdȃzCgXgʉ߂ȂSĂ̕ɂāAGXP[v̓tB^Os(pȊȎSĂ̕)Ƃ܂B̓ꕶ̎gpKvȏꍇ́AGXP[v̓tB^ȌAꂼ̈NH[gň͂ĂBargument injectioniCWE-88j̐Ǝ㐫Ȃ悤ӂĂB
tF[YF
svOA̓t@C܂͕W͂ɂwĂꍇAR}hC̑Ɉn[h̗pĉB
tF[YFA[LeN`ѐv
헪Fp[^
\łAIɃf[^ƃR[hԂ̕悤ȁA\ꂽdg݂gpĂB
̂悤Ȏdg݂ɂAJ҂蓮ōsɁAo͂SẲӏɁA֘ApAGR[hA͂̑Ó`FbN̋@\Iɒ邱Ƃ\łB
ɂĂ̓R}hĂяoĂ܂B\łAs̕gpR}hVFĂяo肵Åʂ̈KvƂɒuĉBʓIɂ̊́AɓKȃNH[gKpAKȃtB^O{܂B
ႦACł́Asystem() ͎sSẴR}h܂ޕt܂BŁAexecl()Aexecve()̊́Aeɕ̔zKvłBWindows ł́ACreateProcess() ͈xɈ̃R}ht܂BPerl ł́A system() ɑāA̔zꍇAeɃNH[gKp܂B
tF[YF
헪F ͂̑Ó`FbN
SĂ͈̓͂ӂ̂̂Ƒz肵ĂBdlɌɏ]͂̃zCgXggp铙Am̎Ă͂̑Ó`FbN@pĂBdlɔ͂ۂA邢͓͂dlɓK`ɕωĂBubNXgɈˑĂ܂Aӂ̂A邢͕sȓ͂TƂ݂̂ɗȂłBAubNXg͗\ǓmAɋۂׂsȓ͂肷ۂɖ𗧂܂B
͒l̑Ó`FbNہA֘AȑSĂ̗vfiA̓^CvAel͈̔́A͂̉ߕsA\A֘AtB[hԂ̈ѐAyуrWlX[̈vAjɂčlĂBrWlX[̗ƂāA"boat" ͉p܂܂Ȃߍ\IɗLłAJ҂ "red" "blue" ̂悤ȐF̖Oz肷ꍇɂ͗Lł͂ȂAƂWbN܂B
OS R}h\zہANGXg̃p[^Ƃđz肷lɊÂZbg𐧌悤ȁAzCgXggpĂBɂAԐړIɍU͈̔͂肷邱Ƃ\łAKȏo̓GR[hyуGXP[vƔrƊɘaƂĂ̏dvx͉܂B
Kȏo͂̃GR[hAGXP[vANH[ǵAOS R}hCWFNVh߂ɍłʓIȉł̂ɑA͂̑Ó`FbN͑wĥł邱ƂɒӂĂB́Aۂɏo͂eʓIɐ邩łB͂̑Ó̃`FbNOSR}hCWFNVh킯ł͂܂BɁACӂ̓eRɓ͉\ȃeLXgtB[h̃T|[gKvƂꍇ͍ɂȂ܂BႦOSR}hƂă[vOĂяoۂɂ́A";" ">" ̂悤ɁÃvOł͊댯̂͂܂ތtB[hKv邽߁AGXP[v₻̑̕@ŏȂȂ܂B̏ꍇA댯ȕ̍폜ɂAOS R}hCWFNṼXN邱Ƃ\łA[̌[ÜӐ}ʂł͂Ȃ߁AsmȂӂ܂\܂BׂȖɌ܂Á̖ÃR|[lgփbZ[Wn߂ɁAvO\ꂽ[̌ɈˑĂꍇɏdȖւƔW܂B
͂̑Ó`FbNɃ~XꍇɂiႦ 100 ̓̓tB[ĥ 1 `FbNYĂ܂jAKȃGR[hCWFNVU̕یƂȂł傤B͂̑Ó̃`FbN͎g₷@łAU\傫炵AUoAKȃGR[fBOsȂꍇɂʂ铙̗_܂AP̂œƗĎg@ł܂B
tF[YFA[LeN`ѐv
헪F ϊɂ鋭
t@CURL̂悤ȏɓKIuWFNgĂꍇA邢͊młꍇAŒ肵͒liIDjۂ̃t@CURL̃}bsO쐬AȊO̓͂ۂĂB
tF[YFIy[V
헪F RpCArh̋
Perl u-Tv XCb`Ao@\sAꂽϐ܂ރR}h̎shŃR[hsĉBĊ댯͂ɑāAĂȂƂȂ悤ɐmɓ͂̑ÓmF悤ɒӂȂȂ܂Aꂽϐ菜߂̑ÓmFXebvIɎsĉBiCWE-183ACWE-184QƉj
tF[YF
G[bZ[WΏۂƂȂǎ҂ɂƂĂ̂ݗLvȁAŏ̏ڍ܂܂ȂƂmFĂBbZ[W͓KxɞBɂȂ悤oXKv܂BG[eʂ@JKv͕K܂B̂悤ȏڍ͍U@𑝂₷߂̍U@̉ǂɗp\܂B
AG[ڍׂǐՂKvꍇAObZ[WɋL^悤ɂĂBAU҂ObZ[W{\łꍇɉN邩lĂBǂȌ`łĂpX[ĥ悤ȋɔL^邱Ƃׂ͔łB܂A[ULۂƂAU҂ɓ̍\ق̂߂Ă܂悤ȁAѐ̂ȂbZ[WɂȂȂ悤ĂB
OS R}hCWFNV̔wiɂāA[Uɖ߂G[ɂāAOS R}hsĂ邩ۂAꍇɂĂ͂ǂ̃R}hgpĂ邩JĂ܂\܂B
tF[YFIy[V
헪F Th{bNXAJail
R}h̃zCgXg邽߂Ƀ^C|V[gpAzCgXgɌfڂĂȂR}h̎gphʼnBAppArmor ̋ZpLłB
tF[YFIy[V
헪F t@CAEH[
{Ǝ㐫ɑUmAvP[Vt@CAEH[gpĂBO҂삵\tgEFAł邽߃R[hCłȂꍇȂǂɁA葍Iȃ\tgEFA̕ۏ؎iƂȂ邽߁Aً}ƂāA܂͑wh̖ړIƂČʓIłB
LF
AvP[Vt@CAEH[͑SĂ̓̓xN^[ԗ邱ƂłȂ\܂BāA͂鏈ɑĕsȌ`̓͂ɂAh䃁JjYI悤ȍsׂ\łBAvP[Vt@CAEH[̋@\ɂẮAspӂɐȃNGXgہA܂͏CĂ܂\܂BŏIIɁA蓮ɂJX^}CYKvłB
tF[YFA[LeN`ѐvAIy[V
헪F ̋
Kvȃ^XNs邽߂ɋ߂ŏ̌gpăR[hsĂB\łÃ^XN݂̂ɎgpA肵PƂ̃AJEg쐬ĂBɂAUꍇłAɑ̃\tgEFA₻̊փANZX邱Ƃ͖hƂł܂BႦAɓIȃIy[VɂāA߂Ƀf[^x[X̊ǗҌKvƂȂf[^x[XAvP[V܂B
tF[YFIy[Vю
헪F ̋
PHP gpĂꍇ́Aregister_globals gpȂ悤ɃAvP[Vݒ肵ĂBɂẮA̋@\ɗȂ悤AvP[VJĂBregister_globals ̗ގ@\̎ɂĂ CWE-95ACWE-261 yїގƎ㐫̑ΏۂƂȂȂ悤xĂB
W
| Nature | Type | ID | Name | View(s) this relationship pertains to |
|---|---|---|---|---|
| ChildOf | Weakness Class | 77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | Development Concepts (primary)699 |
| Research Concepts (primary)1000 | ||||
| ChildOf | Category | 634 | Weaknesses that Affect System Processes | Resource-specific Weaknesses (primary)631 |
| ChildOf | Category | 714 | OWASP Top Ten 2007 Category A3 - Malicious File Execution | Weaknesses in OWASP Top Ten (2007) (primary)629 |
| ChildOf | Category | 727 | OWASP Top Ten 2004 Category A6 - Injection Flaws | Weaknesses in OWASP Top Ten (2004) (primary)711 |
| ChildOf | Category | 741 | CERT C Secure Coding Section 07 - Characters and Strings (STR) | Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734 |
| ChildOf | Category | 744 | CERT C Secure Coding Section 10 - Environment (ENV) | Weaknesses Addressed by the CERT C Secure Coding Standard734 |
| ChildOf | Category | 751 | 2009 Top 25 - Insecure Interaction Between Components | Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)750 |
| ChildOf | Category | 801 | 2010 Top 25 - Insecure Interaction Between Components | Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors(primary)800 |
| ChildOf | Category | 810 | OWASP Top Ten 2010 Category A1 - Injection | Weaknesses in OWASP Top Ten (2010)(primary)809 |
| CanAlsoBe | Weakness Base | 88 | Argument Injection or Modification | Research Concepts1000 |
| MemberOf | View | 630 | Weaknesses Examined by SAMATE | Weaknesses Examined by SAMATE (primary)630 |
| MemberOf | View | 635 | Weaknesses Used by NVD | Weaknesses Used by NVD (primary)635 |
| CanFollow | Weakness Base | 184 | Incomplete Blacklist | Research Concepts1000 |
v iCWE ̌j
argument injection (CWE-88) ̋@\܂߁AOS R}hCWFNV̕ώʂ邽߂ɁAw̒KvłBl̋ʂ́ASQL CWFNVȂ̃CWFNV֘A̖ɂ݂\܂B
eVXe\[X
VXevZX
@\
vǑĂяo
gDł̕
| gD܂͑gDł̕ | m[h ID | CWE̕ނƂ̓Kx | ޖ |
|---|---|---|---|
| PLOVER | OS Command Injection | ||
| OWASP Top Ten 2007 | A3 | CWEڍ | Malicious File Execution |
| OWASP Top Ten 2004 | A6 | CWEڍ | Injection Flaws |
| CERT C Secure Coding | ENV03-C | Sanitize the environment when invoking external programs | |
| CERT C Secure Coding | ENV04-C | Do not call system() if you do not need a command processor | |
| CERT C Secure Coding | STR02-C | Sanitize data passed to complex subsystems | |
| WASC | 31 | OS Commanding |
֘AUp^[
| CAPEC-ID | Up^[ (CAPEC Version 1.5) |
|---|---|
| 15 | Command Delimiters |
| 43 | Exploiting Multiple Input Interpretation Layers |
| 88 | OS Command Injection |
| 6 | Argument Injection |
| 108 | Command Line Execution through SQL Injection |
zCg{bNX̒`
R[hpXȉ̏Ǝ㐫
1. JnXe[ggœ͂tꍇ
2. ȉ̏IXe[gg OS R}hsꍇ
E͂ OS R}ḧꕔłA]܂ȂOSR}hłꍇ
Ĺu]܂ȂvƂ́Aȉ̏Ԃw܂B
1. ĂȂ
2. @ŌĂ
Q
G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.
Pascal Meunier. "Meta-Character Vulnerabilities". 2008-02-20. <http://www.cs.purdue.edu/homes/cs390s/slides/week09.pdf>.
Robert Auger. "OS Commanding". 2009-06. <http://projects.webappsec.org/OS-Commanding>.
Lincoln Stein and John Stewart. "The World Wide Web Security FAQ". chapter: "CGI Scripts". 2002-02-04. <http://www.w3.org/Security/Faq/wwwsf4.html>.
Jordan Dimov, Cigital. "Security Issues in Perl Scripts". <http://www.cgisecurity.com/lib/sips.html>.
[REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 10: Command Injection." Page 171. McGraw-Hill. 2010.
Frank Kim. "Top 25 Series - Rank 9 - OS Command Injection". SANS Software Security Institute. 2010-02-24. <http://blogs.sans.org/appsecstreetfighter/2010/02/24/top-25-series-rank-9-os-command-injection/>.
XV
[2011N0421]
2010N1012_̃f[^ɍXV
[2009N0629]
2009N0202_̉L URL ɍ쐬
http://cwe.mitre.org/data/definitions/78.html
o^ 2011/04/21
ŏIXV 2024/11/01
