What Is an OS Command Injection?

Overview

You might have heard of this dangerous attack vector, but what actually are command injections? How do they work and how can you protect yourself?

Injection attacks are one of the most common ways hackers attack systems because it allows them to easily run many commands and codes. OS command injection is one such injection attack you need to be aware of. This exploits a vulnerability that system, database, and web application administrators should take very seriously.

Definition of OS Command Injection

OS command injection lets a malicious attacker run any command they want by exploiting a vulnerable operating system, program, application, database, or plug-in. It happens when applications fail to properly validate and sanitize the parameters they use when calling shell functions such as?system()?or?exec()?to execute system commands.

To better understand the detection and exploitation of OS command injection, it is useful to examine this issue in three main categories.

1. Direct Command Injection

Consider this from the perspective of the attacker. The cyberattacker discovers that an application is running a specific system command; they enter the malicious command as part of the expected arguments. The application then executes the original command followed by the malicious one.

The attacker employs a variety of approaches to find such a vulnerability. The easiest method to combat this is to keep the operating system up to date at all times; you could do this in collaboration with a competent IT team. You should avoid all apps and programs that might cause system vulnerabilities because the attacker may directly insert code, and the damage is unpredictable.

2. Indirect Command Injection

In the case of indirect command injection, the attacker does not directly input a code or command into the system. For this, they use a vulnerable application or program in the system. The vulnerability creates a bridge between the attacker and the operating system. Taking advantage of this communication, the attacker aims to run malicious codes and commands on the target.

The attacker executes a series of tests to identify this vulnerability and discovers that the software uses data from an external source, such as a file or an environment variable, to call a system command. The attacker then modifies the content of the external source, so it now contains a malicious command. This is then executed alongside the original application's instructions.

The main difference between direct and indirect command injection is that the attacker uses an application to communicate with the operating system. But there's no real difference between the damage the two forms of injection can do, so both need to be addressed. That's why you should make sure that the programs in your network are reliable and necessary. Don't keep apps you don't trust on your device.

3. Blind Command Injection

Another type of OS command injection is blind command injection. This means that the application does not return any output from the command in the HTTP response. The attacker uses different techniques such as time delay and output routing to exploit this vulnerability.

Imagine that you are searching for a website, and the "/?search=id" value in the URL changes with each search. The id value here can be a user page, the address of a product photo, or any page on the site. The attacker can get different results by changing the id value. It's difficult to do it manually, but there are?tools like Burp Suite?for this. Later, the attacker discovers an oddity on a page: an id value might be returned that, even though it didn't show any results, the?website's response was 200, which indicates that everything is fine. In such a case, the attacker could use a blind command injection.

A technique such as a time delay is especially useful. Since the page that opens will be blank, you will not receive any response, but you might still be able to gather information about what's stored in a database based on time delays that only load the page if a certain character is present. This is too time-consuming to be a manual process, but plenty of tools can automate the attack.

An Example Attack Scenario

Let's review all of the above through an example. Imagine you have a shopping app that lets the user see if products are in stock. Let's use a URL like the one below to access all this information:

https://example_unsafe_store.com/stockStatus?productID=245&storeID=

Imagine passing the product and store IDs as arguments to a shell command, such as "stockstat.pl 245 38", since the application would have to query for old records. If the developer takes no action against command injections, an attacker can send an input to execute the desired command:

& echo this_a_harmful_command &

If this entry goes in the productID parameter, the command executed by the application will be:

stockstat.pl & echo this_a_harmful_command & 38

The echo command is a useful method for detecting command injections as well as making sure that the given string appears in the output. The "&" character is a?shell command separator, so what is executed is three separate commands, one after the other. As a result, the output returned to the user will be:

Error -productID not found

this_a_harmful_command

38: command not found

Here, the "stockstat.pl" file executed the command without the arguments it expected and therefore returned an error message. Then, the echo command injected by the attacker ran and the attacker saw the expression he entered on the screen. The original argument, "38", ran as an error-causing command.

How to Protect Against OS Command Injections

Although command injection is a powerful and harmful attack vector, there are some tricks to avoiding it. The rationale behind OS command injection attacks is to execute certain operating system commands using an application. You need to stop this from happening. There are some issues to consider:

1. You must prevent anyone with access to the application from being able to run code.
2. You should prevent anyone with access to the application from making requests to the server with syntactic expressions.
3. You must encrypt the phrases that anyone with access makes requests.

Let's go through each item one by one. A good solution to the first problem is to?use the whitelist method?to prevent anyone reaching the application layer from running certain codes or requests. Anyone you do not identify will not be able to run code.

The solution to the second is to not accept some text expressions used in commands. The user can only enter numerical values. Apply this together with the whitelist method, and you will have a much more secure system.

The third item is about the encryption of syntactic parameters such as the entered character, and spaces. As a result, the whitelisting method, syntactic checking of inputs, and encryption of inputs should protect you from OS command injection.

If you like this article,please let me know your thoughts in the comment section.