[PPT] - VOTD: OS Command Injection Engineering Secure Software Last PowerPoint Presentation

SLIDE 1

SWEN-331: Engineering Secure Software Benjamin S Meyers

VOTD: OS Command Injection

Engineering Secure Software

Last Revised: September 17, 2020 1

SLIDE 2

SWEN-331: Engineering Secure Software Benjamin S Meyers

What is OS Command Injection

Executing arbitrary commands on the host OS via a

vulnerable application

○ Possible whenever unsafe user-supplied data (forms, cookies, HTTP packet headers, command line input, etc.) is passed to a system shell ○ Possible due to lack of or incomplete input neutralization

CWE-78

2

SLIDE 3

SWEN-331: Engineering Secure Software Benjamin S Meyers

Examples

3

# Ruby print “What files should I list?” line = gets system(“ls -lah #{line}”) // Java Scanner inputScanner = new Scanner(System.in); System.out.println(“What files should I list?”); String files = inputScanner.nextLine(); String command = “ls -lah ” + files; Process proc = Runtime.getRuntime().exec(command); # Python files = input(“What files should I list?”)

s.system(“ls -lah ” + files)
*; service ipchains stop; service iptables stop;

SLIDE 4

SWEN-331: Engineering Secure Software Benjamin S Meyers

Examples

4

# Ruby print “What files should I list?” line = gets # system(“ls -lah #{line}”) system(“ls”, “-lah”, “#{line.chomp}”) // Java Scanner inputScanner = new Scanner(System.in); System.out.println(“What files should I list?”); String files = inputScanner.nextLine(); String command = “ls -lah ” + files; // Process proc = Runtime.getRuntime().exec(command); String[] commandArr = command.split(“;”, 5); Process proc = Runtime.getRuntime().exec(commandArr[0]); # Python files = input(“What files should I list?”) # os.system(“ls -lah ” + files)

s.system(“ls -lah ” + files.split(“;”)[0])
Are these complete solutions?

SLIDE 5

SWEN-331: Engineering Secure Software Benjamin S Meyers

Examples

5

# Ruby print “What files should I list?” line = gets # system(“ls -lah #{line}”) system(“ls”, “-lah”, “#{line.chomp}”) // Java Scanner inputScanner = new Scanner(System.in); System.out.println(“What files should I list?”); String files = inputScanner.nextLine(); String command = “ls -lah ” + files; // Process proc = Runtime.getRuntime().exec(command); String[] commandArr = command.split(“;”, 5); Process proc = Runtime.getRuntime().exec(commandArr[0]); # Python files = input(“What files should I list?”) # os.system(“ls -lah ” + files)

s.system(“ls -lah ” + files.split(“;”)[0])
Are these complete solutions?

○ ; & < > | $ ` \ ! ○ space characters when applicable

SLIDE 6

SWEN-331: Engineering Secure Software Benjamin S Meyers

Examples

Apache HTTPD

○ They forgot to exclude pipes! ○ CVE-2002-0061 ○ Fix

6

SLIDE 7

SWEN-331: Engineering Secure Software Benjamin S Meyers

Mitigations

Be careful when using functions that run OS commands

○ Avoid if possible ○ e.g. os library in Python (files, permissions, etc.)

If you can’t avoid these functions

○ Check if your language’s system calling function can limit OS calls to a single command (e.g. ruby .chomp) ○ Whitelist valid user input, if you can

Validate/sanitize your input!

7

SLIDE 8

SWEN-331: Engineering Secure Software Benjamin S Meyers

Notes

Modern web app technologies make these OS calls very easy

○ e.g. PHP (shell_exec), Ruby on Rails (system) ○ Very dangerous → access to the underlying web server can have a huge impact on CIA

Built-in libraries make it easy, too

○ Python: os.system(...) or subprocess.popen(...) ○ C: system(...)

It’s very tempting to think

○ “I can do this in one line with grep, I’ll just make a system call” ○ “I’ll move this functionality to another script and run it with a system call”

8