What Is an OS Command Injection?
Injection attacks are one of the most common ways hackers attack systems because it allows them to easily run many commands and codes. OS command injection is one such injection attack you need to be aware of. This exploits a vulnerability that system, database, and web application administrators should take very seriously.
So what is an OS command injection attack?
Definition of OS Command Injection
OS command injection lets a malicious attacker run any command they want by exploiting a vulnerable operating system, program, application, database, or plug-in. It happens when applications fail to properly validate and sanitize the parameters they use when calling shell functions such assystem()orexec()to execute system commands.
To better understand the detection and exploitation of OS command injection, it is useful to examine this issue in three main categories.
1. Direct Command Injection
Consider this from the perspective of the attacker. The cyberattacker discovers that an application is running a specific system command; they enter the malicious command as part of the expected arguments. The application then executes the original command followed by the malicious one.
The attacker employs a variety of approaches to find such a vulnerability. The easiest method to combat this is to keep the operating system up to date at all times; you could do this in collaboration with a competent IT team. You should avoid all apps and programs that might cause system vulnerabilities because the attacker may directly insert code, and the damage is unpredictable.
2. Indirect Command Injection
In the case of indirect command injection, the attacker does not directly input a code or command into the system. For this, they use a vulnerable application or program in the system. The vulnerability creates a bridge between the attacker and the operating system. Taking advantage of this communication, the attacker aims to run malicious codes and commands on the target.
The attacker executes a series of tests to identify this vulnerability and discovers that the software uses data from an external source, such as a file or an environment variable, to call a system command. The attacker then modifies the content of the external source, so it now contains a malicious command. This is then executed alongside the original application’s instructions.
The main difference between direct and indirect command injection is that the attacker uses an application to communicate with the operating system. But there’s no real difference between the damage the two forms of injection can do, so both need to be addressed. That’s why you should make sure that the programs in your network are reliable and necessary. Don’t keep apps you don’t trust on your device.
3. Blind Command Injection
Another type of OS command injection is blind command injection. This means that the application does not return any output from the command in the HTTP response. The attacker uses different techniques such as time delay and output routing to exploit this vulnerability.
Imagine that you are searching for a website, and the “/?search=id” value in the URL changes with each search. The id value here can be a user page, the address of a product photo, or any page on the site. The attacker can get different results by changing the id value. It’s difficult to do it manually, but there aretools like Burp Suitefor this. Later, the attacker discovers an oddity on a page: an id value might be returned that, even though it didn’t show any results, thewebsite’s response was 200, which indicates that everything is fine. In such a case, the attacker could use a blind command injection.
A technique such as a time delay is especially useful. Since the page that opens will be blank, you will not receive any response, but you might still be able to gather information about what’s stored in a database based on time delays that only load the page if a certain character is present. This is too time-consuming to be a manual process, but plenty of tools can automate the attack.
An Example Attack Scenario
Let’s review all of the above through an example. Imagine you have a shopping app that lets the user see if products are in stock. Let’s use a URL like the one below to access all this information:
Imagine passing the product and store IDs as arguments to a shell command, such as “stockstat.pl 245 38”, since the application would have to query for old records. If the developer takes no action against command injections, an attacker can send an input to execute the desired command:
If this entry goes in the productID parameter, the command executed by the application will be:
The echo command is a useful method for detecting command injections as well as making sure that the given string appears in the output. The “&” character is ashell command separator, so what is executed is three separate commands, one after the other. As a result, the output returned to the user will be:
Here, the “stockstat.pl” file executed the command without the arguments it expected and therefore returned an error message. Then, the echo command injected by the attacker ran and the attacker saw the expression he entered on the screen. The original argument, “38”, ran as an error-causing command.
How to Protect Against OS Command Injections
Although command injection is a powerful and harmful attack vector, there are some tricks to avoiding it. The rationale behind OS command injection attacks is to execute certain operating system commands using an application. You need to stop this from happening. There are some issues to consider:
Let’s go through each item one by one. A good solution to the first problem is touse the whitelist methodto prevent anyone reaching the application layer from running certain codes or requests. Anyone you do not identify will not be able to run code.
The solution to the second is to not accept some text expressions used in commands. The user can only enter numerical values. Apply this together with the whitelist method, and you will have a much more secure system.
The third item is about the encryption of syntactic parameters such as the entered character, and spaces. As a result, the whitelisting method, syntactic checking of inputs, and encryption of inputs should protect you from OS command injection.
Injection Attacks Evolve Everyday
There are many injection methods with different attack techniques, such as OS command, SQL, SSI, and XPath. It’s not easy trying to prevent each of them. Keep in mind that all these attacks evolve every day and take advantage of small vulnerabilities that developers overlooked. That’s why it’s vital you always stay up to date and closely follow the current developments in the world of cybersecurity.
Injection attacks can allow hackers to gain access to the internals of your system. We’ll show you exactly how they work and how to prevent them.
Obsidian finally feels complete.
Revolutionize your driving experience with these game-changing CarPlay additions.
Make sure you don’t miss these movies and shows before Netflix removes them.
Tor spoiled me forever.
Lose your laptop without this feature, and you’ll wish you had turned it on.
