[Forgot Password]
Login  Register Subscribe

23631

 
 

115084

 
 

97147

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Improper Neutralization of Special Elements used in a Command ('Command Injection')

ID: 77Date: (C)2012-05-14   (M)2017-11-16
Type: weaknessStatus: DRAFT
Abstraction Type: Class





Description

The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Extended Description

Command injection vulnerabilities typically occur when:

1. Data enters the application from an untrusted source.

2. The data is part of a string that is executed as a command by the application.

3. By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have.

Likelihood of Exploit: Very High

Applicable Platforms
Language Class: All

Time Of Introduction

  • Architecture and Design
  • Implementation

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Integrity
Confidentiality
Availability
 
Execute unauthorized code or commands
 
If a malicious user injects a character (such as a semi-colon) that delimits the end of one command and the beginning of another, it may be possible to then insert an entirely new and unrelated command that was not intended to be executed.
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Architecture and Design
 
 If at all possible, use library calls rather than external processes to recreate the desired functionality
 
  
Implementation
 
 If possible, ensure that all external commands called from the program are statically created.
 
  
Implementation
 
Input Validation
 
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
 
  
Operation
 
 Run time: Run time policy enforcement may be used in a white-list fashion to prevent use of any non-sanctioned commands.
 
  
System Configuration
 
 Assign permissions to the software system that prevents the user from accessing/opening privileged files.
 
  

Relationships

Related CWETypeViewChain
CWE-77 ChildOf CWE-896 Category CWE-888  

Demonstrative Examples   (Details)

  1. The following code from a system utility uses the system property APPHOME to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
  2. The following code is a wrapper around the UNIX command cat which prints the contents of a file to standard out. It is also injectable:
  3. The following code is from a web application that allows users access to an interface through which they can update their password on the system. Part of the process for updating passwords in certain network environments is to run a make command in the /var/yp directory, the code for which is shown below. (Demonstrative Example Id DX-29)
  4. The following code is from an administrative web application designed to allow users to kick off a backup of an Oracle database using a batch-file wrapper around the rman utility and then run a cleanup.bat script to delete some temporary files. The script rmanDB.bat accepts a single command line parameter, which specifies what type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user. (Demonstrative Example Id DX-28)
  5. The following simple program accepts a filename as a command line argument and displays the contents of the file back to the user. The program is installed setuid root because it is intended for use as a learning tool to allow system administrators in-training to inspect privileged system files without giving them the ability to modify them or damage the system. (Demonstrative Example Id DX-30)

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
7 Pernicious Kingdoms  Command Injection
 
 
CLASP  Command injection
 
 
OWASP Top Ten 2007 A2
 
Injection Flaws
 
CWE_More_Specific
 
OWASP Top Ten 2004 A1
 
Unvalidated Input
 
CWE_More_Specific
 
OWASP Top Ten 2004 A6
 
Injection Flaws
 
CWE_More_Specific
 

References:

  1. G. Hoglund G. McGraw .Exploiting Software: How to Break Code. Addison-Wesley. Published on February 2004.
  2. Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 10: Command Injection." Page 171'. Published on 2010.

© 2013 SecPod Technologies