CAPEC-15 - Command Delimiters

An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 1
  • Injection
  • Purposes 1
  • Penetration
  • Scopes 2
  • Execute unauthorized code or commands
  • Availability
  • Integrity
  • Confidentiality
  • Read application data
  • Confidentiality

Medium level: The attacker has to identify injection vector, identify the specific commands, and optionally collect the output, i.e. from an interactive session.

Software's input validation or filtering must not detect and block presence of additional malicious command.

Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.

Step 1 - Assess Target Runtime Environment

In situations where the runtime environment is not implicitly known, the attacker makes connections to the target system and tries to determine the system's runtime environment. Knowing the environment is vital to choosing the correct delimiters..

Tecnique ID: 1 - Environment(s) env-ClientServer env-Embedded env-CommProtocol env-Peer2Peer env-Web

Port mapping using network connection-based software (e.g., nmap, nessus, etc.)

Tecnique ID: 2 - Environment(s) env-Local

Port mapping by exploring the operating system (netstat, sockstat, etc.)

Tecnique ID: 3 - Environment(s) env-All

TCP/IP Fingerprinting

Tecnique ID: 4 - Environment(s) env-All

Induce errors to find informative error messages

Indicator ID: 1 - Environment(s) env-Web env-CommProtocol env-Peer2Peer env-Embedded

Type: Positive

The target software accepts connections via the network.


Security Control ID: 1

Type: Preventative

Provide misleading information on TCIP/IP fingerprints (some operating systems can be configured to send signatures that match other operating systems).

Security Control ID: 2

Type: Preventative

Provide misleading information at the server level (e.g., Apache, IIS, WebLogic, etc.) to announce a different server software.

Security Control ID: 3

Type: Detective

Some fingerprinting techniques can be detected by operating systems or by network IDS systems because they leave the network connection half-open, or they do not belong to a valid, open connection.


Outcome ID: 1

Type: Success

Operating environment (operating system, language, and/or middleware) is correctly identified.

Outcome ID: 2

Type: Inconclusive

Multiple candidate operating environments are suggested.


Step 2 - Survey the Application

The attacker surveys the target application, possibly as a valid and authenticated user.

Tecnique ID: 1 - Environment(s) env-Web

Spidering web sites for all available links

Tecnique ID: 2 - Environment(s) env-All

Inventory all application inputs

Indicator ID: 1 - Environment(s) env-Web env-ClientServer

Type: Positive

Attacker develops a list of valid inputs


Security Control ID: 1

Type: Detective

Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).

Security Control ID: 2

Type: Detective

Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.

Security Control ID: 3

Type: Preventative

Actively monitor the application and either deny or redirect requests from origins that appear to be automated.

Security Control ID: 4

Type: Detective

Monitor velocity of feature activations (non-web software). Humans who activate features (click buttons, request actions, invoke APIs, etc.) will do so far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).


Outcome ID: 1

Type: Success

The attacker develops a list of likely command delimiters.



Step 1 - Attempt delimiters in inputs

The attacker systematically attempts variations of delimiters on known inputs, observing the application's response each time..

Tecnique ID: 1 - Environment(s) env-CommProtocol env-Web env-Peer2Peer env-ClientServer

Inject command delimiters using network packet injection tools (netcat, nemesis, etc.)

Tecnique ID: 2 - Environment(s) env-Web

Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.)

Tecnique ID: 3 - Environment(s) env-Embedded env-Local env-ClientServer

Enter command delimiters directly in input fields.

Indicator ID: 1 - Environment(s) env-All

Type: Positive

Attack step 2 is successful.


Outcome ID: 1

Type: Success

One or more command delimiters for the platform provokes an unexpected response from the software, which can be varied by the attacker based on the input.



Step 1 - Use malicious command delimiters

The attacker uses combinations of payload and carefully placed command delimiters to attack the software..


Design: Perform whitelist validation against a positive specification for command length, type, and parameters.

Design: Limit program privileges, so if commands circumvent program input validation or filter routines then commands do not running under a privileged account

Implementation: Perform input validation for all remote content.

Implementation: Use type conversions such as JDBC prepared statements.