Command Injection

Description

The purpose of the command injection attack is to inject and execute commands specified by the attacker in the vulnerable application. In situation like this, the application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it as any authorized system user. However, commands are executed with the same privileges and environment as the application has. Command injection attacks are possible in most cases because of lack of correct input data validation, which can be manipulated by the attacker (forms, cookies, HTTP headers etc.).

命令注入攻击指攻击者在有漏洞的程序中注入并执行特定的指令。在这种情况下，执行非期望的系统指令的应用程序类似于伪系统shell，攻击者可以以任何系统授权的用户使用该程序。但是，命令同应用程序拥有相同的权限和环境。命令注入攻击多发生在缺少正确的输入验证的可被攻击者操作（如表单、cookies、HTTP头等等）的程序中。

There is a variant of the Code Injection attack. The difference with code injection is that the attacker adds his own code to the existing code. In this way, the attacker extends the default functionality of the application without the necessity of executing system commands. Injected code is executed with the same privileges and environment as the application has.

代码注入攻击是命令注入攻击的一种变体。不同之处是代码注入是攻击者将自己的代码注入至漏洞程序中。在这种情况下，攻击者不需要系统命令的支持即可以扩展应用程序的函数功能。注入代码同应用程序具有相同的权限和运行环境。

An OS command injection attack occurs when an attacker attempts to execute system level commands through a vulnerable application. Applications are considered vulnerable to the OS command injection attack if they utilize user input in a system level command.

操作系统命令攻击指攻击者试图通过漏洞程序执行系统级指令。如果应用程序使用用户输入的系统级命令则意味着程序可能存在允许操作系统注入攻击的漏洞。

Examples

Example 1

The following code is a wrapper around the UNIX command cat which prints the contents of a file to standard output. It is also injectable:

下面的代码对UNIX命令cat进行了包装，是可以被注入：

#include <stdio.h>#include <unistd.h>int main(int argc, char **argv) { char cat[] = "cat "; char *command; size_t commandLength; commandLength = strlen(cat) + strlen(argv[1]) + 1; command = (char *) malloc(commandLength); strncpy(command, cat, commandLength); strncat(command, argv[1], (commandLength - strlen(cat)) ); system(command); return (0);}

Used normally, the output is simply the contents of the file requested:

正常情况下，输出仅为请求文件的内容，如：

$ ./catWrapper Story.txtWhen last we left our heroes...

However, if we add a semicolon and another command to the end of this line, the command is executed by catWrapper with no complaint:

但是，如果我们添加一个分号和另一个命令，这个添加的命令就会被执行，如：

$ ./catWrapper "Story.txt; ls"When last we left our heroes...Story.txt               doubFree.c              nullpointer.cunstosig.c              www*                    a.out*format.c                strlen.c                useFree*catWrapper*             misnull.c               strlength.c             useFree.ccommandinjection.c      nodefault.c             trunc.c                 writeWhatWhere.c

If catWrapper had been set to have a higher privilege level than the standard user, arbitrary commands could be executed with that higher privilege.

如果catWrapper被设置高于标准用户的权限，那么可以以这个权限运行任何命令。

Example 2

The following simple program accepts a filename as a command line argument, and displays the contents of the file back to the user. The program is installed setuid root because it is intended for use as a learning tool to allow system administrators in-training to inspect privileged system files without giving them the ability to modify them or damage the system.

下面的例子通过命令行参数接受一个文件名，并将文件内容回显至用户。该程序以root权限安装，因为该程序被设计为学习工具，可以使系统管理员在不修改或者破坏系统文件的情况下查看设置权限的系统文件。

       int main(char* argc, char** argv) {               char cmd[CMD_MAX] = "/usr/bin/cat ";               strcat(cmd, argv[1]);               system(cmd);       }

Because the program runs with root privileges, the call to system() also executes with root privileges. If a user specifies a standard filename, the call works as expected. However, if an attacker passes a string of the form ";rm -rf /", then the call to system() fails to execute cat due to a lack of arguments and then plows on to recursively delete the contents of the root partition.

因为该程序以root权限运行，也可以以root权限调用system（）。如果用户指定一个标准的文件名，该调用会正常工作。但是，如果攻击者以";rm -rf /"这种形式传送字符串，那么调用system时会因为缺少参数不能执行cat，并且执行rm -rf /删除root分区。

Example 3

The following code from a privileged program uses the environment variable $APPHOME to determine the application's installation directory, and then executes an initialization script in that directory.

下面的代码来自一个特权程序，该程序使用环境变量$APPHOME决定程序安装的目录，并在目录下执行初始化脚本。

       ...       char* home=getenv("APPHOME");       char* cmd=(char*)malloc(strlen(home)+strlen(INITCMD));       if (cmd) {               strcpy(cmd,home);               strcat(cmd,INITCMD);               execl(cmd, NULL);       }       ...

As in Example 2, the code in this example allows an attacker to execute arbitrary commands with the elevated privilege of the application. In this example, the attacker can modify the environment variable $APPHOME to specify a different path containing a malicious version of INITCMD. Because the program does not validate the value read from the environment, by controlling the environment variable, the attacker can fool the application into running malicious code.

The attacker is using the environment variable to control the command that the program invokes, so the effect of the environment is explicit in this example. We will now turn our attention to what can happen when the attacker changes the way the command is interpreted.

Example 4

The code below is from a web-based CGI utility that allows users to change their passwords. The password update process under NIS includes running make in the /var/yp directory. Note that since the program updates password records, it has been installed setuid root.

The program invokes make as follows:

       system("cd /var/yp && make &> /dev/null");

Unlike the previous examples, the command in this example is hardcoded, so an attacker cannot control the argument passed to system(). However, since the program does not specify an absolute path for make, and does not scrub any environment variables prior to invoking the command, the attacker can modify their $PATH variable to point to a malicious binary named make and execute the CGI script from a shell prompt. And since the program has been installed setuid root, the attacker's version of make now runs with root privileges.

The environment plays a powerful role in the execution of system commands within programs. Functions like system() and exec() use the environment of the program that calls them, and therefore attackers have a potential opportunity to influence the behavior of these calls.

There are many sites that will tell you that Java's Runtime.exec is exactly the same as C's system function. This is not true. Both allow you to invoke a new program/process. However, C's system function passes its arguments to the shell (/bin/sh) to be parsed, whereas Runtime.exec tries to split the string into an array of words, then executes the first word in the array with the rest of the words as parameters. Runtime.exec does NOT try to invoke the shell at any point. The key difference is that much of the functionality provided by the shell that could be used for mischief (chaining commands using "&", "&&", "|", "||", etc, redirecting input and output) would simply end up as a parameter being passed to the first command, and likely causing a syntax error, or being thrown out as an invalid parameter.

Example 5

The following trivial code snippets are vulnerable to OS command injection on the Unix/Linux platform:

• C:

#include <stdlib.h>#include <stdio.h>#include <string.h>int main(int argc, char **argv){     char command[256];     if(argc != 2) {          printf("Error: Please enter a program to time!\n");          return -1;     }     memset(&command, 0, sizeof(command));     strcat(command, "time ./");     strcat(command, argv[1]);     system(command);     return 0;}

• If this were a suid binary, consider the case when an attacker enters the following: 'ls; cat /etc/shadow'. In the Unix environment, shell commands are separated by a semi-colon. We now can execute system commands at will!

• Java:

There are many sites that will tell you that Java's Runtime.exec is exactly the same as C's system function. This is not true. Both allow you to invoke a new program/process. However, C's system function passes its arguments to the shell (/bin/sh) to be parsed, whereas Runtime.exec tries to split the string into an array of words, then executes the first word in the array with the rest of the words as parameters. Runtime.exec does NOT try to invoke the shell at any point. The key difference is that much of the functionality provided by the shell that could be used for mischief (chaining commands using "&", "&&", "|", "||", etc, redirecting input and output) would simply end up as a parameter being passed to the first command, and likely causing a syntax error, or being thrown out as an invalid parameter.

有很多网站认为Java的Runtime.exec函数同C的system函数相同，其实是不对的。两者都是唤起一个新的程序或者进程。但是，C的system函数将参数传至shell（/bin/sh）进行解析，而Runtime.exec将字符串分隔成一组单词，进而执行数组中的第一个单词，其他单词作为参数。Runtime.exec任何时候任何情况都不会调用shell。主要的不同是可以被恶意程序使用的shell提供的多数功能只是以传入第一个命令的参数结尾，并可能造成句法错误或作为无效的参数丢出。

Related Attacks

• Code Injection
• Blind SQL Injection
• Blind XPath Injection
• LDAP injection
• Relative Path Traversal
• Absolute Path Traversal

Related Controls

• Category:Input Validation

Ideally, a developer should use existing API for their language. For example (Java): Rather than use Runtime.exec() to issue a 'mail' command, use the available Java API located at javax.mail.*

理想情况下，开发者应使用语言中存在的函数。例如，对于java使用mail命令时，应使用javax.mail.*中的Java API，而不是使用Runtime.exec调用mail命令。

If no such available API exists, the developer should scrub all input for malicious characters. Implementing a positive security model would be most efficient. Typically, it is much easier to define the legal characters than the illegal characters.

如果没有可用的API，开发者应该过滤恶意字符。实现一个积极的安全模式是最有效的。通常，定义合法字符要比定义恶意字符简单的多。

References

• CWE-77: Command Injection
• CWE-78: OS Command Injection
• http://blog.php-security.org/archives/76-Holes-in-most-preg_match-filters.html