CAPEC-15: Command Delimiters

Description

An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.

Extended Description

Many applications allow users to send email messages by filling in fields. For example, a web site may have a link to "share this site with a friend" where the user provides the recipient's email address and the web application fills out all the other fields, such as the subject and body. In this pattern, an adversary adds header and body information to an email message by injecting additional content in an input field used to construct a header of the mail message. This attack takes advantage of the fact that RFC 822 requires that headers in a mail message be separated by a carriage return. As a result, an adversary can inject new headers or content simply by adding a delimiting carriage return and then supplying the new heading and body information. This attack will not work if the user can only supply the message body since a carriage return in the body is treated as a normal character.

Severity :

High

Possibility :

High

Type :

Standard

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-137: Parameter Injection Parameter Injection CAPEC-460: HTTP Parameter Pollution (HPP) HTTP Parameter Pollution (HPP)

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Software's input validation or filtering must not detect and block presence of additional malicious command.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Medium The attacker has to identify injection vector, identify the specific commands, and optionally collect the output, i.e. from an interactive session.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')

CWE-138: Improper Neutralization of Special Elements

CWE-140: Improper Neutralization of Delimiters

CWE-146: Improper Neutralization of Expression/Command Delimiters

CWE-154: Improper Neutralization of Variable Name Delimiters

CWE-157: Failure to Sanitize Paired Delimiters

CWE-184: Incomplete List of Disallowed Inputs

CWE-185: Incorrect Regular Expression

CWE-697: Incorrect Comparison

Visit http://capec.mitre.org/ for more details.