I. Concept
1. What is OS command injection?
OS Command Injection (also known as shell injection) is a vulnerability that allows an attacker to execute any operating system commands on the server running the application with the privilege of the web server. The vulnerability occurs when an application calls the shell command to execute a task with the user input but does not filter the input carefully.
An OS command injection vulnerability could allow an attacker to perform behaviors such as:
- Execute system commands.
- Damaging the application, the server running the application and the data on it.
- Implementing SSRF.
- Get the reverse shell.
- …
Depending on the privilege of the web server, this vulnerability could allow an attacker to perform various behaviors.
II. For example
1. Demo
For example, in this section, I will use DVWA ( Damn Vulnerabilities Web Application ) – a common web application used to learn about security holes of web applications.
Here, the application has a function of performing a ping
command with the ip value entered by the user.
The code that performs this function is:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
<span class="token php language-php"><span class="token delimiter important"><?php</span> <span class="token keyword">if</span> <span class="token punctuation">(</span> <span class="token function">isset</span> <span class="token punctuation">(</span> <span class="token variable">$_POST</span> <span class="token punctuation">[</span> <span class="token single-quoted-string string">'Submit'</span> <span class="token punctuation">]</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token comment">// Get input</span> <span class="token variable">$target</span> <span class="token operator">=</span> <span class="token variable">$_REQUEST</span> <span class="token punctuation">[</span> <span class="token single-quoted-string string">'ip'</span> <span class="token punctuation">]</span> <span class="token punctuation">;</span> <span class="token comment">// Determine OS and execute the ping command.</span> <span class="token keyword">if</span> <span class="token punctuation">(</span> <span class="token function">stristr</span> <span class="token punctuation">(</span> <span class="token function">php_uname</span> <span class="token punctuation">(</span> <span class="token single-quoted-string string">'s'</span> <span class="token punctuation">)</span> <span class="token punctuation">,</span> <span class="token single-quoted-string string">'Windows NT'</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token comment">// Windows</span> <span class="token variable">$cmd</span> <span class="token operator">=</span> <span class="token function">shell_exec</span> <span class="token punctuation">(</span> <span class="token single-quoted-string string">'ping '</span> <span class="token punctuation">.</span> <span class="token variable">$target</span> <span class="token punctuation">)</span> <span class="token punctuation">;</span> <span class="token punctuation">}</span> <span class="token keyword">else</span> <span class="token punctuation">{</span> <span class="token comment">// *nix</span> <span class="token variable">$cmd</span> <span class="token operator">=</span> <span class="token function">shell_exec</span> <span class="token punctuation">(</span> <span class="token single-quoted-string string">'ping -c 4 '</span> <span class="token punctuation">.</span> <span class="token variable">$target</span> <span class="token punctuation">)</span> <span class="token punctuation">;</span> <span class="token punctuation">}</span> <span class="token comment">// Feedback for the end user</span> <span class="token variable">$html</span> <span class="token punctuation">.</span> <span class="token operator">=</span> <span class="token double-quoted-string string">"<pre> <span class="token interpolation"><span class="token punctuation">{</span> <span class="token variable">$cmd</span> <span class="token punctuation">}</span></span> </pre>"</span> <span class="token punctuation">;</span> <span class="token punctuation">}</span> <span class="token delimiter important">?></span></span> |
As you can see in the above code, there is no standardization with the ip
parameter being sent. The application will use this value and pass the shell command. The returned value will be printed to the screen.
Because there is no data normalization, an attacker can pass additional OS commands into the ip parameter like 192.168.0.10&ls
As the image above can see, the returned result includes a paragraph
1 2 3 4 |
help index.php source |
is the result of the ls
command inserted into the ip parameter. This means that an attacker can attack the OS command injection on the application.
2. The actual flaw
The OS Command Injection vulnerability is a vulnerability that has existed for a long time. However, this is not the case today. On https://cve.mitre.org/ , we can find CVEs of this type of vulnerability still exist, even newly published this year as:
- CVE-2020-9478 : found in Rubrik 5.0.3-2296.
- CVE-2020-9020 : found in Iteris Vantage Velocity Field Unit 2.3.1, 2.4.2, and 3.0 devices.
- CVE-2020-8427 : found in previous versions of 9.5.20 of Kaseya Traverse.
More CVEs of this vulnerability can be found on https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=OS+Command+Injection .
III. How to avoid OS Command Injection vulnerabilities
To limit the OS Command Injection vulnerability, we need:
- If not absolutely necessary, do not use system calls in the application code.
- If the use of system commands cannot be avoided, make sure that data normalization is applied correctly:
- The value entered is in the whitelist of the value to be used
- The value of the correct type is expected by the application (number or string …).
- The input value contains only alphanumeric characters, without formatting or syntax.
- …
IV. summary
The OS Command Injection vulnerability is a traditional vulnerability but it is very dangerous to allow an attacker to run system commands. Hopefully, this short article will help you to know and avoid this vulnerability.