CAPEC-88 OS Command Injection

CAPEC ID: 88

CAPEC-88 Metadata

Likelihood of Attack

High

Typical Severity

High

Overview

Summary

In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.

Prerequisites

User controllable input used as part of commands to the underlying operating system.

Execution Flow

Step Phase Description Techniques
1 Explore [Identify inputs for OS commands] The attacker determines user controllable input that gets passed as part of a command to the underlying operating system.
  • Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
  • TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system.
  • Induce errors to find informative error messages
2 Explore [Survey the Application] The attacker surveys the target application, possibly as a valid and authenticated user
  • Spidering web sites for all available links
  • Inventory all application inputs
3 Experiment [Vary inputs, looking for malicious results.] Depending on whether the application being exploited is a remote or local one the attacker crafts the appropriate malicious input, containing OS commands, to be passed to the application
  • Inject command delimiters using network packet injection tools (netcat, nemesis, etc.)
  • Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.)
4 Exploit [Execute malicious commands] The attacker may steal information, install a back door access mechanism, elevate privileges or compromise the system in some other way.
  • The attacker executes a command that stores sensitive information into a location where they can retrieve it later (perhaps using a different command injection).

Potential Solutions / Mitigations

Use language APIs rather than relying on passing data to the operating system shell or command line. Doing so ensures that the available protection mechanisms in the language are intact and applicable. Filter all incoming data to escape or remove characters or strings that can be potentially misinterpreted as operating system or shell commands All application processes should be run with the minimal privileges required. Also, processes must shed privileges as soon as they no longer require them.

Related Weaknesses (CWE)

CWE ID Description
CWE-20 Improper Input Validation
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CWE-697 Incorrect Comparison

Related CAPECs

CAPEC ID Description
CAPEC-248 An adversary looking to execute a command of their choosing, injects new items into an existing command thus modifying interpretation away from what was intended. Commands in this context are often standalone strings that are interpreted by a downstream component and cause specific responses. This type of attack is possible when untrusted values are used to build these command strings. Weaknesses in input validation or command construction can enable the attack and lead to successful exploitation.

Taxonomy Mappings

Taxonomy: WASC

Entry ID Entry Name
31 OS Commanding

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.