CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

Description

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Extended Description

Command injection vulnerabilities typically occur when:

1. Data enters the application from an untrusted source.
2. The data is part of a string that is executed as a command by the application.
3. By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have.

Many protocols and products have their own custom command language. While OS or shell command strings are frequently discovered and targeted, developers may not realize that these other command languages might also be vulnerable to attacks.

Command injection is a common problem with wrapper programs.

Example Vulnerable Codes

Example - 1

The following simple program accepts a filename as a command line argument and displays the contents of the file back to the user. The program is installed setuid root because it is intended for use as a learning tool to allow system administrators in-training to inspect privileged system files without giving them the ability to modify them or damage the system.


char cmd[CMD_MAX] = "/usr/bin/cat ";strcat(cmd, argv[1]);system(cmd);int main(int argc, char** argv) {}

Because the program runs with root privileges, the call to system() also executes with root privileges. If a user specifies a standard filename, the call works as expected. However, if an attacker passes a string of the form ";rm -rf /", then the call to system() fails to execute cat due to a lack of arguments and then plows on to recursively delete the contents of the root partition.

Note that if argv[1] is a very long argument, then this issue might also be subject to a buffer overflow (CWE-120).

Example - 2

The following code is from an administrative web application designed to allow users to kick off a backup of an Oracle database using a batch-file wrapper around the rman utility and then run a cleanup.bat script to delete some temporary files. The script rmanDB.bat accepts a single command line parameter, which specifies what type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.



c:\\util\\rmanDB.bat "+btype+"&&c:\\utl\\cleanup.bat\"")
...String btype = request.getParameter("backuptype");String cmd = new String("cmd.exe /K \"System.Runtime.getRuntime().exec(cmd);...

The problem here is that the program does not do any validation on the backuptype parameter read from the user. Typically the Runtime.exec() function will not execute multiple commands, but in this case the program first runs the cmd.exe shell in order to run multiple commands with a single call to Runtime.exec(). Once the shell is invoked, it will happily execute multiple commands separated by two ampersands. If an attacker passes a string of the form "& del c:\\dbms\\*.*", then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.

Example - 3

The following code from a system utility uses the system property APPHOME to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.


...String home = System.getProperty("APPHOME");String cmd = home + INITCMD;java.lang.Runtime.getRuntime().exec(cmd);...

The code above allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME to point to a different path containing a malicious version of INITCMD. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME, then they can fool the application into running malicious code and take control of the system.

Example - 4

The following code is a wrapper around the UNIX command cat which prints the contents of a file to standard out. It is also injectable:



char cat[] = "cat ";char *command;size_t commandLength;commandLength = strlen(cat) + strlen(argv[1]) + 1;command = (char *) malloc(commandLength);strncpy(command, cat, commandLength);strncat(command, argv[1], (commandLength - strlen(cat)) );system(command);return (0);#include <stdio.h>#include <unistd.h>int main(int argc, char **argv) {}

Used normally, the output is simply the contents of the file requested:


$ ./catWrapper Story.txtWhen last we left our heroes...

However, if we add a semicolon and another command to the end of this line, the command is executed by catWrapper with no complaint:


$ ./catWrapper Story.txt; lsWhen last we left our heroes...Story.txtSensitiveFile.txtPrivateData.dba.out*

If catWrapper had been set to have a higher privilege level than the standard user, arbitrary commands could be executed with that higher privilege.

Visit http://cwe.mitre.org/ for more details.

© cvefeed.io
Latest DB Update: Dec. 24, 2024 3:46
Loading...
Theme Customizer
Layout

Choose your layout

Vertical
Horizontal
Two Column
Color Scheme

Choose Light or Dark Scheme.

Light
Dark
Layout Width

Choose Fluid or Boxed layout.

Fluid
Boxed
Layout Position

Choose Fixed or Scrollable Layout Position.

Topbar Color

Choose Light or Dark Topbar Color.

Light
Dark
Preloader

Choose a preloader.

Enable
Disable