Difference between revisions of "OS Command Injection"

From OWASP
Jump to: navigation, search
 
Line 2: Line 2:
  
 
==Description==
 
==Description==
 +
 +
An OS command injection attack occurs when an attacker attempts to execute system level commands through a vulnerable application. Applications are considered vulnerable to the OS command injection attack if they utilize user input in a system level command.
  
 
==Examples ==
 
==Examples ==
 +
 +
The following trivial code snippets are vulnerable to OS command injection on the Unix/Linux platform:
 +
 +
:* C:
 +
 +
#include <stdlib.h>
 +
#include <stdio.h>
 +
#include <string.h>
 +
 +
int main(int argc, char **argv)
 +
{
 +
      char command[256];
 +
 +
      if(argc != 2) {
 +
          printf("Error: Please enter a program to time!\n");
 +
          return -1;
 +
      }
 +
 +
      memset(&command, 0, sizeof(command));
 +
 +
      strcat(command, "time ./");
 +
      strcat(command, argv[1]);
 +
 +
      system(command);
 +
      return 0;
 +
}
 +
 +
:* If this were a suid binary, consider the case when an attacker enters the following: 'ls; cat /etc/shadow'. In the Unix environment, shell commands are separated by a semi-colon. We now can execute system commands at will!
 +
 +
:* Java:
 +
 +
import java.util.*;
 +
import java.io.*;
 +
 +
public class Exec
 +
{
 +
      public static void main(String args[])
 +
      {
 +
          try
 +
          {
 +
                Runtime rt = Runtime.getRuntime();
 +
                Process proc = rt.exec("time ./" + args[0]);
 +
          }
 +
          catch(Exception e)
 +
          {
 +
                e.printStackTrace();
 +
          }
 +
      }
 +
}
 +
 +
:* The same situation applies to the Java program as it did to the C program. An attacker has the ability to execute arbitrary system level commands through your application.
  
 
==Related Threats==
 
==Related Threats==
Line 12: Line 65:
  
 
==Related Countermeasures==
 
==Related Countermeasures==
 +
 +
Ideally, a developer should use existing API for their language. For example (Java): Rather than use Runtime.exec() to issue a 'mail' command, use the available Java API located at javax.mail.*
 +
 +
If no such available API exists, the developer should scrub all input for malicious characters. Implementing a positive security model would be most efficient. Typically, it is much easier to define the legal characters than the illegal characters.
  
 
==Categories==
 
==Categories==

Revision as of 10:29, 30 June 2006

This is an Attack. To view all attacks, please see the Attack Category page.


Description

An OS command injection attack occurs when an attacker attempts to execute system level commands through a vulnerable application. Applications are considered vulnerable to the OS command injection attack if they utilize user input in a system level command.

Examples

The following trivial code snippets are vulnerable to OS command injection on the Unix/Linux platform:

  • C:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
     char command[256];

     if(argc != 2) {
          printf("Error: Please enter a program to time!\n");
          return -1;
     }

     memset(&command, 0, sizeof(command));

     strcat(command, "time ./");
     strcat(command, argv[1]);

     system(command);
     return 0;
}
  • If this were a suid binary, consider the case when an attacker enters the following: 'ls; cat /etc/shadow'. In the Unix environment, shell commands are separated by a semi-colon. We now can execute system commands at will!
  • Java:
import java.util.*;
import java.io.*;

public class Exec
{
     public static void main(String args[])
     {
          try
          {
               Runtime rt = Runtime.getRuntime();
               Process proc = rt.exec("time ./" + args[0]);
          }
          catch(Exception e)
          {
               e.printStackTrace();
          }
     }
}
  • The same situation applies to the Java program as it did to the C program. An attacker has the ability to execute arbitrary system level commands through your application.

Related Threats

Related Attacks

Related Vulnerabilities

Related Countermeasures

Ideally, a developer should use existing API for their language. For example (Java): Rather than use Runtime.exec() to issue a 'mail' command, use the available Java API located at javax.mail.*

If no such available API exists, the developer should scrub all input for malicious characters. Implementing a positive security model would be most efficient. Typically, it is much easier to define the legal characters than the illegal characters.

Categories

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.