Briskinfosec - Global Cybersecurity Service Providers

  • +91 86086 34123

  • contact@briskinfosec.com

Stay Connected:

CWE-78 Improper Neutralization Of Special Elements Used In An OS Command Injection | Briskinfosec
Image

CWE-78 Improper Neutralization Of Special Elements Used In An OS Command Injection

DESCRIPTION:

OS command injection is a technique used via a web interface in order to execute OS commands on a web server. The user supplies operating system commands through a web interface in order to execute OS commands. Any web interface that is not properly sanitized is subject to this exploit. With the ability to execute OS commands, the user can upload malicious programs or even obtain passwords. OS command injection is preventable when security is emphasized during the design and development of applications.

 This attack differs from Code Injection, where the code injection allows the attacker to add his own code that is then executed by the application. In Code Injection, the attacker extends the default functionality of the application without the necessity of executing system commands.

PROBLEM LOCATION:

Common Parameter Or Injection Points example (file, location, path, display, load, retrieve, read)

  • The manipulating variables that reference files with dot-dot-slash (../) sequences and its variations or by using absolute file paths.
  • It may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.
  • Code execution on the web server.
  • Are there request parameters which could be used for file-related operations.
  • Are there interesting variable names.

MITIGATION

  • Application developers sometimes implement operating system interactions using calls to system utilities for creating and removing directories for example. unescaped input can lead to arbitrary OS commands being executed.
  • If possible, do not permit appending file paths directly. Make them hard-coded or selectable from a limited hard-coded path list via an index variable.
  • If you definitely need dynamic path concatenation, ensure you only accept required characters such as “a-Z0-9” and do not allow “..” or “/” or  “” (null byte) or any other similar unexpected characters.
  •  It is important to limit the API to allow inclusion only from a directory and directories below it. This way you can ensure any potential attack cannot perform a directory traversal attack.

GENERAL RESOURCES:

https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/os-cmd-execution

https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/path-traversal/traversals-8-deep-exotic-encoding.txt 

GENERAL TOOLS:

  • OWASP WebScarab
  • OWASP WebGoat
  • Commix
  • Burp suite
  • DotDotPwn
  • Enconding/Decoding tools.

Comments

Add Your Comments

Name*
Email*
Your Comments*