This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications. Alternately, if the weakness occurs in a privileged program, it could allow the attacker to specify commands that normally would not be accessible, or to call alternate commands with privileges that the attacker does not have. The problem is exacerbated if the compromised process does not follow the principle of least privilege, because the attacker-controlled commands may run with special system privileges that increases the amount of damage.
There are at least two subtypes of OS command injection:
From a weakness standpoint, these variants represent distinct programmer errors. In the first variant, the programmer clearly intends that input from untrusted parties will be part of the arguments in the command to be executed. In the second variant, the programmer does not intend for the command to be accessible to any untrusted party, but the programmer probably has not accounted for alternate ways in which malicious attackers can provide input.
Scope | Impact | Likelihood |
---|---|---|
Confidentiality Integrity Availability Non-Repudiation | Execute Unauthorized Code or Commands, DoS: Crash, Exit, or Restart, Read Files or Directories, Modify Files or Directories, Read Application Data, Modify Application Data, Hide Activities Note: Attackers could execute unauthorized operating system commands, which could then be used to disable the product, or read and modify data for which the attacker does not have permissions to access directly. Since the targeted application is directly executing the commands instead of the attacker, any malicious activities may appear to come from the application or the application's owner. |
Reference | Description |
---|---|
OS command injection in Wi-Fi router, as exploited in the wild per CISA KEV. | |
Template functionality in network configuration management tool allows OS command injection, as exploited in the wild per CISA KEV. | |
Chain: improper input validation (CWE-20) in username parameter, leading to OS command injection (CWE-78), as exploited in the wild per CISA KEV. | |
Canonical example of OS command injection. CGI program does not neutralize "|" metacharacter when invoking a phonebook program. | |
Language interpreter's mail function accepts another argument that is concatenated to a string used in a dangerous popen() call. Since there is no neutralization of this argument, both OS Command Injection (CWE-78) and Argument Injection (CWE-88) are possible. | |
Web server allows command execution using "|" (pipe) character. | |
FTP client does not filter "|" from filenames returned by the server, allowing for OS command injection. | |
Shell metacharacters in a filename in a ZIP archive | |
Shell metacharacters in a telnet:// link are not properly handled when the launching application processes the link. | |
OS command injection through environment variable. | |
OS command injection through https:// URLs | |
Chain: incomplete denylist for OS command injection | |
Product allows remote users to execute arbitrary commands by creating a file whose pathname contains shell metacharacters. |
Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
Be careful to avoid CWE-243 and other weaknesses related to jails.
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.
If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
Some languages offer multiple functions that can be used to invoke commands. Where possible, identify any function that invokes a command shell using a single string, and replace it with a function that requires individual arguments. These functions typically perform appropriate quoting and filtering of arguments. For example, in C, the system() function accepts a string that contains the entire command to be executed, whereas execl(), execve(), and others require an array of strings, one for each argument. In Windows, CreateProcess() only accepts one command at a time. In Perl, if system() is provided with an array of arguments, then it will quote each of the arguments.
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
When constructing OS command strings, use stringent allowlists that limit the character set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack, but this technique is less important than proper output encoding and escaping.
Note that proper output encoding, escaping, and quoting is the most effective solution for preventing OS command injection, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent OS command injection, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, when invoking a mail program, you might need to allow the subject field to contain otherwise-dangerous inputs like ";" and ">" characters, which would need to be escaped or otherwise handled. In this case, stripping the character might reduce the risk of OS command injection, but it would produce incorrect behavior because the subject field would not be recorded as the user intended. This might seem to be a minor inconvenience, but it could be more important when the program relies on well-structured subject lines in order to pass messages to other components.
Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address.
Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
In the context of OS Command Injection, error information passed back to the user might reveal whether an OS command is being executed and possibly which command is being used.
This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.
Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.
Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke OS commands, leading to false negatives - especially if the API/library code is not available for analysis.
According to SOAR, the following detection techniques may be useful:
According to SOAR, the following detection techniques may be useful:
According to SOAR, the following detection techniques may be useful:
According to SOAR, the following detection techniques may be useful:
According to SOAR, the following detection techniques may be useful:
According to SOAR, the following detection techniques may be useful:
CAPEC-ID | Attack Pattern Name |
---|---|
CAPEC-108 | Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host. |
CAPEC-15 | Command Delimiters An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on. |
CAPEC-43 | Exploiting Multiple Input Interpretation Layers An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: |
CAPEC-6 | Argument Injection An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods. |
CAPEC-88 | OS Command Injection In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system. |
Name | Organization | Date | Date Release | Version |
---|---|---|---|---|
PLOVER | Draft 3 |
Name | Organization | Date | Comment |
---|---|---|---|
Sean Eidemiller | Cigital | added/updated demonstrative examples | |
Eric Dalci | Cigital | updated Time_of_Introduction | |
KDM Analytics | added/updated white box definitions | ||
Veracode | Suggested OWASP Top Ten 2004 mapping | ||
CWE Content Team | MITRE | updated Relationships, Other_Notes, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Description | |
CWE Content Team | MITRE | updated Observed_Examples, Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Research_Gaps, Terminology_Notes | |
CWE Content Team | MITRE | updated Potential_Mitigations | |
CWE Content Team | MITRE | updated Name, Related_Attack_Patterns | |
KDM Analytics | Improved the White_Box_Definition | ||
CWE Content Team | MITRE | updated Description, Name, White_Box_Definitions | |
CWE Content Team | MITRE | updated Observed_Examples, References | |
CWE Content Team | MITRE | updated Detection_Factors | |
CWE Content Team | MITRE | updated Detection_Factors, Potential_Mitigations, References, Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Potential_Mitigations | |
CWE Content Team | MITRE | updated Common_Consequences, Description, Detection_Factors, Name, Observed_Examples, Potential_Mitigations, References, Relationships | |
CWE Content Team | MITRE | updated Potential_Mitigations | |
CWE Content Team | MITRE | updated Description, Potential_Mitigations | |
CWE Content Team | MITRE | updated Demonstrative_Examples, Description | |
CWE Content Team | MITRE | updated Common_Consequences, Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Observed_Examples, Potential_Mitigations | |
CWE Content Team | MITRE | updated Applicable_Platforms, Demonstrative_Examples, Terminology_Notes | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Detection_Factors, Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Modes_of_Introduction, References, Relationships, Taxonomy_Mappings, White_Box_Definitions | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated References, Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Potential_Mitigations, Relationships | |
CWE Content Team | MITRE | updated Observed_Examples, Potential_Mitigations | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Potential_Mitigations, Relationships | |
CWE Content Team | MITRE | updated Observed_Examples, Relationships | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Demonstrative_Examples | |
CWE Content Team | MITRE | updated Observed_Examples, Relationships | |
CWE Content Team | MITRE | updated References | |
CWE Content Team | MITRE | updated Common_Consequences, Description | |
CWE Content Team | MITRE | updated Detection_Factors, References, Relationships, Time_of_Introduction | |
CWE Content Team | MITRE | updated Mapping_Notes, Relationships | |
CWE Content Team | MITRE | updated Alternate_Terms, Common_Consequences, Demonstrative_Examples, Description, Diagram, References | |
CWE Content Team | MITRE | updated Relationships |