May 26, 2016 By Paul Ionescu 4 min read

In the first part of this series, I briefly mentioned two inventories of common software weaknesses: the CWE/SANS Top 25 Most Dangerous Software Errors and OWASP Top 10. The OWASP list focuses primarily on Web application attacks and is more a list of attack categories, while SANS 25 focuses on software mistakes that can facilitate an attack. These are excellent resources for developers who wish to think like a hacker and prevent zero-day vulnerabilities in their software.

The software flaw that I will discuss in this article is No. 2 on the SANS 25 list. It is officially known as OS command injection, but is also referred to as shell command injection and remote command execution (RCE).

OS command injection is the most powerful type of weakness because it allows control of the target system. That’s why it’s the first issue my team is trying to locate when we conduct a pen test. As a matter of fact, OS command injection was the principal software flaw used by my team to break into a building automation system, as disclosed in February 2016.

Notorious Examples of OS Command Injection

OS command injections are likely to impact OS components and commonly used libraries that are repackaged with various software. When such flaws are found, their impact is catastrophic because almost all software using that component is also immediately vulnerable.

This was the case with Shellshock, a set of vulnerabilities in the Unix Shell: Bash. Shellshock is maybe the most infamous shell command injection software bug of all. It even earned its own logo:

The Shellshock bug allowed attackers to send arbitrary shell commands to Web servers, network printers and other network software. It also sent system administrators and software manufacturers scrambling to patch their servers.

Because the Shellshock attack code was trivial, hackers immediately created exploits for the issue and began scanning the Internet to take over unpatched servers. This activity started within an hour of the announcement of the vulnerability. Two days later, it was reported that botnets formed from servers compromised by Shellshock were already used in denial-of-service attacks. It is incredible how fast and effective the bad guys can be when given a software bug!

Here is a video demonstrating the Shellshock bug:

https://www.youtube.com/watch?v=bhJmVBJ-F-4

What Is the Programming Flaw?

Let’s take a look at another software bug that was publicized recently. It affects the open-source ImageMagik library, which is used by various Web applications to resize or crop images. The bug, which was dubbed ImageTragik, is only a couple weeks old, but hackers immediately started to exploit it, Ars Technica reported.

The most serious vulnerability from the ImageTragik package is officially known as ‘CVE-2016-3714 – Insufficient shell characters filtering leads to (potentially remote) code execution’. This is almost identical to the SANS 25 name for OS Command Injection: ‘CWE-78: Improper Neutralization of Special Elements used in an OS Command’.

When processing external URLs, the software was substituting user input in an OS command like this:

“wget” -q -O “%o” “https:%M

Scroll to view full table

The %M part is substituted with a user-provided link. If a graphics file contains a link like this:

https://example.com/image.jpg“;|ls “-la

Scroll to view full table

Then the software will execute:

“wget” -q -O “%o” “https://example.com/image.jpg“;|ls “-la”

Scroll to view full table

As you can see, the hacker can insert his or her own commands to be executed by the ImageMagik library. This is demonstrated in the sample exploit .mvg file.

push graphic-context
viewbox 0 0 640 480
fill ‘url(https://example.com/image.jpg“;|ls “-la)’
pop graphic-context
Scroll to view full table

How to Prevent Command Injection

The main culprit for command injection is the concatenation of commands with user-supplied input. The best way to prevent it is by using parameterized functions instead, where user input is being passed as parameters rather than the initial command.

Here’s an example of vulnerable code:

char cmd[CMD_MAX] = “/usr/bin/cat “;

strcat(cmd, argv[1]);

system(cmd);

Scroll to view full table

And here is the correct code using the parameterized function. It’s even less code:

char cmd[CMD_MAX] = “/usr/bin/cat “;

execve(cmd, argv[1]);

Scroll to view full table

Most programming languages have a way to execute commands through parameterized functions, so you should always try to avoid concatenation. If you must use concatenation, then your best friend is input validation.

Be sure to leverage a white-listing approach and start from the most restrictive character set — for example, alphanumeric. But be careful what you let through. The first fix to ImageMagik introduced input validation, but permitted the ` (back quote) character, which could also be used to inject commands, like so:

Think Like a Hacker

Command injection is an extremely damaging weakness. Special attention should be paid to areas of the code that are exposed to this software flaw. By thinking like a hacker throughout the development process, you can avoid introducing OS command injection vulnerabilities in your own code.

Watch the on-demand webinar: Uncover What’s Inside the Mind of a Hacker

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today