OS Command Injection

Description
An OS command injection attack occurs when an attacker attempts to execute system level commands through a vulnerable application. Applications are considered vulnerable to the OS command injection attack if they utilize user input in a system level command.

Examples
The following trivial code snippets are vulnerable to OS command injection on the Unix/Linux platform:


 * C:

int main(int argc, char **argv) {     char command[256]; if(argc != 2) { printf("Error: Please enter a program to time!\n"); return -1; }     memset(&command, 0, sizeof(command)); strcat(command, "time ./"); strcat(command, argv[1]); system(command); return 0; }
 * 1) include 
 * 2) include 
 * 3) include 


 * If this were a suid binary, consider the case when an attacker enters the following: 'ls; cat /etc/shadow'. In the Unix environment, shell commands are separated by a semi-colon. We now can execute system commands at will!


 * Java:

import java.util.*; import java.io.*; public class Exec {     public static void main(String args[]) {          try {               Runtime rt = Runtime.getRuntime; Process proc = rt.exec("time ./" + args[0]); }          catch(Exception e)           { e.printStackTrace; }     } }


 * The same situation applies to the Java program as it did to the C program. An attacker has the ability to execute arbitrary system level commands through your application.

Related Countermeasures
Ideally, a developer should use existing API for their language. For example (Java): Rather than use Runtime.exec to issue a 'mail' command, use the available Java API located at javax.mail.*

If no such available API exists, the developer should scrub all input for malicious characters. Implementing a positive security model would be most efficient. Typically, it is much easier to define the legal characters than the illegal characters.