Command Injection: A Deadly Needle in the Haystack

Looking across the threat landscape at cybercriminals’ go-to attack vectors, we see SQL injection high on the list. But there’s another injection method that also poses a serious threat: command injection.

Shellshock: The Vulnerability That Won’t Die

In late September 2014, a more than 20-year-old vulnerability in the GNU Bash shell, which was widely used on Linux, Solaris and OS X systems, sparked the mobilization of attacks known as Shellshock. This first vulnerability quickly gave way to the disclosure of several additional vulnerabilities affecting the UNIX shell.

IBM Managed Security Services (MSS) observed a significant increase in focused attacks targeting these vulnerabilities within 24 hours of their disclosure. The attacks came in waves, from different source IPs and originating countries. Almost two years later, we are still seeing a significant amount of Shellshock attacks.

Read the IBM research report on The importance of thwarting command injection attacks

Details About Command Injection Attacks

A successful command injection attack allows an attacker to issue arbitrary commands within a vulnerable web application environment. This happens when an application passes malicious user-supplied input — via, for example, forms, cookies or HTTP headers — to a system shell. If the data input is not validated properly, the attacker can inject additional shell commands and have them executed with the permission of the vulnerable application. Simply put, this means that a critical web server and its entire back-end database can be completely compromised.

Because command injection attacks are one of the most common and successful attacks on the web, they are not likely to fade away anytime soon. Defending against these attacks requires implementation of strict defensive tactics, which are often overlooked when web applications are initially deployed — especially those applications developed in-house.

The IBM report “The Importance of Thwarting Command Injection Attacks” takes a more focused look at how these attacks are perpetrated and how you can protect your web environment from them.

Share this Article:
Dave McMillen

Senior Threat Researcher, IBM Managed Security Services

Dave brings over 25 years of network security knowledge to IBM. Dave began his career in IBM over 15 years ago where he was part of a core team of six IBMers that created the IBM Emergency Response Service which eventually grew and evolved into Internet Security Systems. As an industry-recognized security expert and thought leader, Dave's background in security is full featured. Dave thrives on identifying threats and developing methods to solve complex problems. His specialties are intrusion detection/prevention, ethical hacking, forensics and analysis of malware and advanced threats. As a member of the IBM MSS Threat Research Team, Dave takes the intelligence he has gathered and turns out immediate tangible remedies that can be implemented within a customer’s network or on IBM MSS's own proprietary detection engines. Dave became interested in security back in the late 1980's and owned and operated a company that provided penetration and vulnerability testing service, one of the first of its kind. As the internet's footprint began to grow, it became clear to him there was a new problem on the horizon; protecting data. Dave worked with WheelGroup (later acquired by Cisco) where he helped develop NetRanger IDS and NetSonar. Dave also assisted with development of the very first IBM intrusion detection system, BillyGoat. Dave also has developed several other security based methods and systems which were patented for IBM.