Command Injection (CI)

Share on :

Command injection is an attack where the goal is to execute arbitrary commands on the host operating system through a vulnerable application.

Severity

High

Impact

Executing OS commands on the server

Examples

• Reading, Writing, Modifying or Deleting Files
• Compromising other machines on the network

How it works?

we will demonstrate simple example from DVWA web app.

let's see our back-end code:

<?php

if( isset( $_POST[ 'Submit' ]  ) ) {
    // Get input
    $target = $_REQUEST[ 'ip' ];

    // Determine OS and execute the ping command.
    if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
        // Windows
        $cmd = shell_exec( 'ping  ' . $target );
    }
    else {
        // *nix
        $cmd = shell_exec( 'ping  -c 4 ' . $target );
    }

    // Feedback for the end user
    echo "<pre>{$cmd}</pre>";
}

?>

Walkthrough

In this scenario the application is meant to ping a device, when a user submits an IP this what happens :

Exploitation

As you can see, user supplied input is passed through shell_exec() function which is used to execute OS commands without any filtering. The attacker can manipulate this using the fact that his input is not filtered and pass his own command. An Ideal proof of concept for this vulnerability is the UNIX ls command so the payload would look like this 172.217.21.78;ls .

Here you can see a list of the file names in the directory which means that the command is successfully executed .

Common 0-day vulnerabilities

1. ImageTragick :

Multiple vulnerabilities were published on 4th of may 2016 in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can lead to command injection if you process user submitted images due to insufficient filtering for filename passed to delegate's command allows remote code execution during conversion of several file formats .

exploit.svg :

    <?xml version="1.0" standalone="no"?>
    <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
    "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd";>
    <svg width="640px" height="480px" version="1.1"
    xmlns="http://www.w3.org/2000/svg"; xmlns:xlink=
    "http://www.w3.org/1999/xlink";>
    <image xlink:href="https://example.com/image.jpg&quot;|ls &quot;-la"
    x="0" y="0" height="640px" width="480px"/>
    </svg>

When ImageMagick tries to convert this SVG file to a PNG file the ls -la command executes.

This vulnerability affected tons of websites including Facebook, Yahoo, Hackerone, ...and alot more .

2. WordPress PHPMailer :

Wordpress is a free and open-source content management system (CMS) based on PHP and MySQL. In 3rd of May 2017 a command injection vulnerability in PHPMailer was published. The attack could be used by unauthenticated remote attackers to gain instant access to the target server on which a vulnerable WordPress core version was installed in its default configuration which could lead to a full compromise of the target application server.

wp-includes/pluggable.php (WP 4.6) :

<?php
if ( !isset( $from_email ) ) {
              // Get the site domain and get rid of www.
              $sitename = strtolower( $_SERVER['SERVER_NAME'] );
              if ( substr( $sitename, 0, 4 ) == 'www.' ) {
                      $sitename = substr( $sitename, 4 );
              }

              $from_email = 'wordpress@' . $sitename;
      }

      /**
       * Filters the name to associate with the "from" email address.
       *
       * @since 2.3.0
       *
       * @param string $from_name Name associated with the "from" email address.
       */
      $from_name = apply_filters( 'wp_mail_from_name', $from_name );

      $phpmailer->setFrom( $from_email, $from_name );
      ?>

As we can see the from address is formed as follows:

$from_email = 'wordpress@' . $sitename;

It is then filtered and passed to a vulnerable setFrom() function of PHPMailer which was explained in detail in this advisory

Mitigation

• Avoid using direct OS commands and use its equivalent in the language you are using .

• Use escapeshellarg() or escapeshellcmd() to sanitize user input (PHP) .

• Using regex for example ^[a-z0-9]{1,5}$ this regex allows only characters and numbers without any special characters or white spaces, but this approach should also be combined with escapeshellarg() or escapeshellcmd()

• Don't give users privilege more than they need to use the application

Advanced Bypasses

Length limiting :

Command injection can be easily achieved if the developer relies on only limiting user's input length. An example for that, 2 challenges in HitCon CTF 2017 were about bypassing lenght limiting to execute shell commands, and these are the source code and write-ups for these challenges :

• Babyfirst revenge
• Babyfirst revenge v2

Regex :

Regex can be bypassed if the code logic is not suitable for the regex even if the same regex is safe in some cases. An example for that, a challenge in HitCon CTF 2015 was about this scenario, and this is the source code and write-up for the challenge :

• Babyfirst