CAPEC-15

Command Delimiters
Wysoki
Wysoki
Draft
2014-06-23
00h00 +00:00
2021-06-24
00h00 +00:00
CAPEC Mitre.org
Alert dla konkretnego CAPEC
Bądź na bieżąco z wszelkimi zmianami dotyczącymi konkretnego CAPEC.
Zarządzaj powiadomieniami

Opisy CAPEC

An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.

Informacje CAPEC

Przebieg wykonania

1) Explore

[Assess Target Runtime Environment] In situations where the runtime environment is not implicitly known, the attacker makes connections to the target system and tries to determine the system's runtime environment. Knowing the environment is vital to choosing the correct delimiters.

Technika
  • Port mapping using network connection-based software (e.g., nmap, nessus, etc.)
  • Port mapping by exploring the operating system (netstat, sockstat, etc.)
  • TCP/IP Fingerprinting
  • Induce errors to find informative error messages
2) Explore

[Survey the Application] The attacker surveys the target application, possibly as a valid and authenticated user

Technika
  • Spidering web sites for all available links
  • Inventory all application inputs
3) Experiment

[Attempt delimiters in inputs] The attacker systematically attempts variations of delimiters on known inputs, observing the application's response each time.

Technika
  • Inject command delimiters using network packet injection tools (netcat, nemesis, etc.)
  • Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.)
  • Enter command delimiters directly in input fields.
4) Exploit

[Use malicious command delimiters] The attacker uses combinations of payload and carefully placed command delimiters to attack the software.

Wymagania wstępne

Software's input validation or filtering must not detect and block presence of additional malicious command.

Wymagane umiejętności

The attacker has to identify injection vector, identify the specific commands, and optionally collect the output, i.e. from an interactive session.

Wymagane zasoby

Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.

Łagodzenie

Design: Perform allowlist validation against a positive specification for command length, type, and parameters.
Design: Limit program privileges, so if commands circumvent program input validation or filter routines then commands do not running under a privileged account
Implementation: Perform input validation for all remote content.
Implementation: Use type conversions such as JDBC prepared statements.

Powiązane słabości

CWE-ID Nazwa słabości

CWE-146

 Improper Neutralization of Expression/Command Delimiters
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.

CWE-77

 Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CWE-184

 Incomplete List of Disallowed Inputs
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

CWE-78

 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CWE-185

 Incorrect Regular Expression
The product specifies a regular expression in a way that causes data to be improperly matched or compared.

CWE-93

 Improper Neutralization of CRLF Sequences ('CRLF Injection')
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

CWE-140

 Improper Neutralization of Delimiters
The product does not neutralize or incorrectly neutralizes delimiters.

CWE-157

 Failure to Sanitize Paired Delimiters
The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.

CWE-138

 Improper Neutralization of Special Elements
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.

CWE-154

 Improper Neutralization of Variable Name Delimiters
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as variable name delimiters when they are sent to a downstream component.

CWE-697

 Incorrect Comparison
The product compares two entities in a security-relevant context, but the comparison is incorrect.

Odniesienia

REF-1

Exploiting Software: How to Break Code
G. Hoglund, G. McGraw.

Zgłoszenie

Nazwa Organizacja Data Data wydania
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modyfikacje

Nazwa Organizacja Data Komentarz
CAPEC Content Team The MITRE Corporation 2019-09-30 +00:00 Updated Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2020-07-30 +00:00 Updated Description, Mitigations
CAPEC Content Team The MITRE Corporation 2021-06-24 +00:00 Updated Related_Weaknesses
Informacje prezentowane na CVE Find pochodzą z kilku starannie wybranych źródeł referencyjnych. Dane CVE są dostarczane przez MITRE Corporation i Narodową Bazę Podatności (NVD). Katalog znanych eksploatowanych podatności (KEV) pochodzi z Agencji ds. Bezpieczeństwa Cyberprzestrzeni i Infrastruktury (CISA), natomiast wyniki EPSS pochodzą z FIRST.org. Ponadto dane dotyczące słabości oprogramowania (CWE) i typowych wzorców ataków (CAPEC) są utrzymywane przez MITRE Corporation, a informacje o konfiguracjach sprzętu i oprogramowania (CPE) są dostarczane przez NVD.