CAPEC-88 - OS Command Injection

In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 2
  • Injection
  • API Abuse
  • Purposes 2
  • Penetration
  • Exploitation
  • Sec Principles 2
  • Least Privilege
  • Reluctance To Trust
  • Scopes 3
  • Execute unauthorized code or commands
  • Availability
  • Integrity
  • Confidentiality
  • Bypass protection mechanism
  • Gain privileges / assume identity
  • Authorization
  • Access_Control
  • Confidentiality
  • Read application data
  • Confidentiality

High level: The attacker needs to have knowledge of not only the application to exploit but also the exact nature of commands that pertain to the target operating system. This may involve, though not always, knowledge of specific assembly commands for the platform.

User controllable input used as part of commands to the underlying operating system.

Never Use Unvalidated Input as Part of a Directive to any Internal Component

Step 1 - Identify inputs for OS commands

The attacker determines user controllable input that gets passed as part of a command to the underlying operating system..

Tecnique ID: 1 - Environment(s) env-Local env-CommProtocol env-Peer2Peer env-ClientServer

Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.

Tecnique ID: 2 - Environment(s) env-Embedded env-ClientServer env-Peer2Peer env-CommProtocol env-Web

TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, he attempts to guess the actual operating system.

Tecnique ID: 3 - Environment(s) env-All

Induce errors to find informative error messages

Indicator ID: 1 - Environment(s) env-Web env-CommProtocol env-Peer2Peer env-Embedded env-ClientServer

Type: Positive

The target software accepts connections via the network.


Security Control ID: 1

Type: Preventative

Provide misleading information on TCIP/IP fingerprints (some operating systems can be configured to send signatures that match other operating systems).

Security Control ID: 2

Type: Preventative

Provide misleading information at the server level (e.g., Apache, IIS, WebLogic, etc.) to announce a different server software.

Security Control ID: 3

Type: Detective

Some fingerprinting techniques can be detected by operating systems or by network IDS systems because they leave the network connection half-open, or they do not belong to a valid, open connection.


Outcome ID: 1

Type: Success

Operating environment (operating system, language, and/or middleware) is correctly identified.

Outcome ID: 2

Type: Inconclusive

Multiple candidate operating environments are suggested.


Step 2 - Survey the Application

The attacker surveys the target application, possibly as a valid and authenticated user.

Tecnique ID: 1 - Environment(s) env-Web

Spidering web sites for all available links

Tecnique ID: 2 - Environment(s) env-All

Inventory all application inputs

Indicator ID: 1 - Environment(s) env-All

Type: Positive

Attacker develops a list of valid inputs


Security Control ID: 1

Type: Detective

Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).

Security Control ID: 2

Type: Detective

Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.

Security Control ID: 3

Type: Preventative

Actively monitor the application and either deny or redirect requests from origins that appear to be automated.

Security Control ID: 4

Type: Detective

Monitor velocity of feature activations (non-web software). Humans who activate features (click buttons, request actions, invoke APIs, etc.) will do so far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).


Outcome ID: 1

Type: Success

The attacker develops a list of likely command delimiters.



Step 1 - Vary inputs, looking for malicious results.

Depending on whether the application being exploited is a remote or local one the attacker crafts the appropriate malicious input, containing OS commands, to be passed to the application.

Tecnique ID: 1 - Environment(s) env-CommProtocol env-Web env-Peer2Peer env-ClientServer

Inject command delimiters using network packet injection tools (netcat, nemesis, etc.)

Tecnique ID: 2 - Environment(s) env-Web

Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.)

Indicator ID: 1 - Environment(s) env-All

Type: Positive

Inventorying in prior step is successful.


Outcome ID: 1

Type: Success

One or more injections that are appropriate to the platform provokes an unexpected response from the software, which can be varied by the attacker based on the input.



Step 1 - Execute malicious commands

The attacker may steal information, install a back door access mechanism, elevate privileges or compromise the system in some other way..

Tecnique ID: 1 - Environment(s) env-All

The attacker executes a command that stores sensitive information into a location where he can retrieve it later (perhaps using a different command injection).

Tecnique ID: 2 - Environment(s) env-All

The attacker executes a command that stores sensitive information into a location where he can retrieve it later (perhaps using a different command injection).

Tecnique ID: 3 - Environment(s) env-All

The attacker executes a command that stores sensitive information into a location where he can retrieve it later (perhaps using a different command injection).

Security Control ID: 1

Type: Preventative

Make commonly exploited administrative tools log their execution.

Security Control ID: 2

Type: Preventative

Make commonly exploited administrative tools non-executable, except when the system is in specific maintenance periods. (i.e., require administrators to specifically enable certain administrative commands prior to performing system maintenance.)


Outcome ID: 1

Type: Success

The software performs an action the attacker desires. This might be displaying information, storing a program, executing a command, or some other malicious activity.



Use language APIs rather than relying on passing data to the operating system shell or command line. Doing so ensures that the available protection mechanisms in the language are intact and applicable.

Filter all incoming data to escape or remove characters or strings that can be potentially misinterpreted as operating system or shell commands

All application processes should be run with the minimal privileges required. Also, processes must shed privileges as soon as they no longer require them.