Looking across the threat landscape at cybercriminals’ go-to attack vectors, we see SQL injection high on the list. But there’s another injection method that also poses a serious threat: command injection.

Shellshock: The Vulnerability That Won’t Die

In late September 2014, a more than 20-year-old vulnerability in the GNU Bash shell, which was widely used on Linux, Solaris and OS X systems, sparked the mobilization of attacks known as Shellshock. This first vulnerability quickly gave way to the disclosure of several additional vulnerabilities affecting the UNIX shell.

IBM Managed Security Services (MSS) observed a significant increase in focused attacks targeting these vulnerabilities within 24 hours of their disclosure. The attacks came in waves, from different source IPs and originating countries. Almost two years later, we are still seeing a significant amount of Shellshock attacks.

Read the IBM research report on The importance of thwarting command injection attacks

Details About Command Injection Attacks

A successful command injection attack allows an attacker to issue arbitrary commands within a vulnerable web application environment. This happens when an application passes malicious user-supplied input — via, for example, forms, cookies or HTTP headers — to a system shell. If the data input is not validated properly, the attacker can inject additional shell commands and have them executed with the permission of the vulnerable application. Simply put, this means that a critical web server and its entire back-end database can be completely compromised.

Because command injection attacks are one of the most common and successful attacks on the web, they are not likely to fade away anytime soon. Defending against these attacks requires implementation of strict defensive tactics, which are often overlooked when web applications are initially deployed — especially those applications developed in-house.

The IBM report “The Importance of Thwarting Command Injection Attacks” takes a more focused look at how these attacks are perpetrated and how you can protect your web environment from them.

More from Software Vulnerabilities

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

10 min read - September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

10 min read