Looking across the threat landscape at cybercriminals’ go-to attack vectors, we see SQL injection high on the list. But there’s another injection method that also poses a serious threat: command injection.

Shellshock: The Vulnerability That Won’t Die

In late September 2014, a more than 20-year-old vulnerability in the GNU Bash shell, which was widely used on Linux, Solaris and OS X systems, sparked the mobilization of attacks known as Shellshock. This first vulnerability quickly gave way to the disclosure of several additional vulnerabilities affecting the UNIX shell.

IBM Managed Security Services (MSS) observed a significant increase in focused attacks targeting these vulnerabilities within 24 hours of their disclosure. The attacks came in waves, from different source IPs and originating countries. Almost two years later, we are still seeing a significant amount of Shellshock attacks.

Read the IBM research report on The importance of thwarting command injection attacks

Details About Command Injection Attacks

A successful command injection attack allows an attacker to issue arbitrary commands within a vulnerable web application environment. This happens when an application passes malicious user-supplied input — via, for example, forms, cookies or HTTP headers — to a system shell. If the data input is not validated properly, the attacker can inject additional shell commands and have them executed with the permission of the vulnerable application. Simply put, this means that a critical web server and its entire back-end database can be completely compromised.

Because command injection attacks are one of the most common and successful attacks on the web, they are not likely to fade away anytime soon. Defending against these attacks requires implementation of strict defensive tactics, which are often overlooked when web applications are initially deployed — especially those applications developed in-house.

The IBM report “The Importance of Thwarting Command Injection Attacks” takes a more focused look at how these attacks are perpetrated and how you can protect your web environment from them.

More from Software Vulnerabilities

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

Patch Tuesday -> exploit Wednesday: Pwning windows ancillary function driver for WinSock (afd.sys) in 24 hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities. Figure 1 — Exploitation timeline However, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today