VOTD: OS Command Injection Engineering Secure Software Last Revised: September 17, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1
What is OS Command Injection Executing arbitrary commands on the host OS via a ● vulnerable application Possible whenever unsafe user-supplied data (forms, cookies, ○ HTTP packet headers, command line input, etc.) is passed to a system shell Possible due to lack of or incomplete input neutralization ○ CWE-78 ● SWEN-331: Engineering Secure Software Benjamin S Meyers 2
Examples # Ruby # Python print “What files should I list?” files = input(“What files should I list?”) line = gets os.system(“ls -lah ” + files) system(“ls -lah #{line}”) // Java Scanner inputScanner = new Scanner(System.in); System.out.println(“What files should I list?”); String files = inputScanner.nextLine(); String command = “ls -lah ” + files; Process proc = Runtime.getRuntime().exec(command); ● *; service ipchains stop; service iptables stop; SWEN-331: Engineering Secure Software Benjamin S Meyers 3
Examples # Ruby # Python print “What files should I list?” files = input(“What files should I list?”) line = gets # os.system(“ls -lah ” + files) # system(“ls -lah #{line}”) os.system(“ls -lah ” + files.split(“;”)[0]) system(“ls”, “-lah”, “#{line.chomp}”) // Java Scanner inputScanner = new Scanner(System.in); System.out.println(“What files should I list?”); String files = inputScanner.nextLine(); String command = “ls -lah ” + files; // Process proc = Runtime.getRuntime().exec(command); String[] commandArr = command.split(“;”, 5); Process proc = Runtime.getRuntime().exec(commandArr[0]); Are these complete solutions? ● SWEN-331: Engineering Secure Software Benjamin S Meyers 4
Examples # Ruby # Python print “What files should I list?” files = input(“What files should I list?”) line = gets # os.system(“ls -lah ” + files) # system(“ls -lah #{line}”) os.system(“ls -lah ” + files.split(“;”)[0]) system(“ls”, “-lah”, “#{line.chomp}”) // Java Scanner inputScanner = new Scanner(System.in); System.out.println(“What files should I list?”); String files = inputScanner.nextLine(); String command = “ls -lah ” + files; // Process proc = Runtime.getRuntime().exec(command); String[] commandArr = command.split(“;”, 5); Process proc = Runtime.getRuntime().exec(commandArr[0]); Are these complete solutions? ● ○ ; & < > | $ ` \ ! space characters when applicable ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 5
Examples Apache HTTPD ● They forgot to exclude pipes! ○ CVE-2002-0061 ○ Fix ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 6
Mitigations Be careful when using functions that run OS commands ● Avoid if possible ○ e.g. os library in Python (files, permissions, etc.) ○ If you can’t avoid these functions ● Check if your language’s system calling function can limit OS ○ calls to a single command (e.g. ruby .chomp ) Whitelist valid user input, if you can ○ Validate/sanitize your input! ● SWEN-331: Engineering Secure Software Benjamin S Meyers 7
Notes Modern web app technologies make these OS calls very easy ● e.g. PHP ( shell_exec ), Ruby on Rails ( system ) ○ Very dangerous → access to the underlying web server can have ○ a huge impact on CIA Built-in libraries make it easy, too ● Python: os.system(...) or subprocess.popen(...) ○ C: system(...) ○ It’s very tempting to think ● “I can do this in one line with grep , I’ll just make a system call” ○ “I’ll move this functionality to another script and run it with a ○ system call” SWEN-331: Engineering Secure Software Benjamin S Meyers 8
Recommend
More recommend