OS Command Injection Cheat Sheet, Attack Examples & Protection

An Operating System (OS) command injection attack occurs when an attacker attempts to execute system level commands through a vulnerable web application. Applications are considered vulnerable to the OS command injections if they can be manipulated into executing unauthorized system commands via the web interface.

 

What is OS Command injection?

These high-impact attacks basically involve the injecting of malicious commands into valid commands. Meta-characters (&, |, //;) are usually used to merge commands and create malicious OS Command Injections.

Just like SQL injections, OS Command injections can be either blind or error-based, with error-based ones being more severe due to their transparent and obvious nature.

 

OS Command injection examples

This example is a web application that intends to perform a DNS lookup of a user-supplied domain name. It is subject to the first variant of OS command injection.

use CGI qw(:standard);
$name = param('name');
$nslookup = "/path/to/nslookup";
print header;
if (open($fh, "$nslookup $name|")) {
while (<$fh>) {
print escapeHTML($_);
print "<br>\n";
}
close($fh);
}

Suppose an attacker provides a domain name like this: cwe.mitre.org%20%3B%20/bin/ls%20-l

The “%3B” sequence decodes to the “;” character, and the %20 decodes to a space. The open() statement would then process a string like this: /path/to/nslookup cwe.mitre.org ; /bin/ls -l

As a result, the attacker executes the “/bin/ls -l” command and gets a list of all the files in the program’s working directory. To make matters worse, a more dangerous payload can be crafted to perform more severe malicious actions.
This code didn’t validate or sanitize the user input before using it in the execute command. Hence the attacker was able to run the desired command on the server.

 

How to prevent OS Command Injection attacks?

Ideally, a developer should use existing APIs for their relevant programming languages.

For example, while programming with Java, the developer should use the available Java API located at javax.mail.*. If no such available API exists, the developer should validate the input using Regex or a whitelist of accepted values. This is much better than using Runtime.exec() (see code below) to issue a ‘mail’ command.

Class Win32 extends OS {
                 public void email (String subject, String body) throws Exception {
                                 String cmd = "cmd.exe /c start \"\"\"" + formatMailto(subject, body) + "\"";
                                 Runtime.getRuntime().exec(cmd);
                 }
 }

When it’s not technically possible to remove the command execution, the best way to stay protected is to execute only static strings that do not include user input.

 

Preventing OS Command Injection attacks with CxSAST

CxSAST searches and warns about any user input that affects a command execution without being validated or sanitized beforehand.

 

Back to Vulnerability Knowledge Base

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.