Because it enables them to easily execute a large number of commands and codes, injection assaults are one of the most prevalent methods that hackers use to attack systems. A type of injection attack known as “OS command injection” is one that you need to be aware of. This takes advantage of a vulnerability, which is something that administrators of systems, databases, and online applications need to take extremely seriously.
So, what exactly is a command injection attack against an operating system?
What is OS Command Injection Attacks
An OS command injection allows a malicious attacker to perform any command they want by exploiting a vulnerable operating system, program, application, database, or plug-in. OS command injections are commonly used in SQL injection attacks. When applications fail to properly check and sanitize the parameters they use when calling shell functions to execute system commands, such as system() or exec(), this issue can arise.
It is helpful to view this issue through the lens of three primary categories to gain a better understanding of the detection and exploitation of OS command injection.
Direct Command Injection Technique
Think about it from the point of view of the person who is attacking you. After the hacker determines that a particular application is responsible for executing a system command, they insert the malicious command into the application as one of the intended parameters. The application then carries out the first command, which is followed by the second, which is malicious.
The attacker will try several different methods to locate a vulnerability like this. The most straightforward approach to overcoming this challenge is to ensure that the operating system is always running the most recent version available; you might accomplish this objective with the assistance of an experienced IT staff. You should avoid using any applications or programs that have the potential to cause system vulnerabilities since an attacker may directly insert code, and the severity of the damage may not be known.
Indirect Command Injection Technique
When an attacker uses indirect command injection, they do not enter a code or command into the system in the traditional sense. They accomplish this by utilizing a software application or program that has a known vulnerability in the system. A connection can be made between the attacker and the operating system thanks to the vulnerability. The goal of the attacker is to take advantage of this communication to execute harmful codes and commands on the target.
The attacker runs a series of tests to locate this vulnerability and discovers that the software calls a system command using data obtained from an external source such as a file or an environment variable. This information was obtained while the attacker was in the process of discovering the vulnerability. The content of the external source is then altered by the attacker so that it now incorporates a command that is intended to cause harm. After that, this is carried out in conjunction with the instructions of the initial application.
The fact that the attacker must work through an application to communicate with the operating system marks the primary distinction between direct and indirect command injection. But there is not much of a difference between the damage that can be caused by the two different types of injections, which is why we need to address both of them. Because of this, you need to make sure that the programs that are running on your network are dependable and essential. Don’t keep apps you don’t trust on your device.
Blind Command Injection Technique
Blind command injection is a subtype of OS command injection that can also occur. This indicates that the application does not return any output from the command in the response that it sends to the HTTP request. To take advantage of this vulnerability, the attacker employs a variety of strategies, such as output routing and time delay.
Imagine that you are looking for a website and that the value “/?search=id” that is included in the URL varies with each search that you perform. A user page, the address of a product photo, or any other page on the site can serve as the id value in this case. Altering the id value allows the attacker to achieve a variety of different outcomes. It is challenging to accomplish it by hand, but there are tools such as Burp Suite that can help with this. Later, the attacker finds something strange on a page. It’s possible that an id value is returned, and even if it didn’t reveal any results, the website’s response was still 200, which means that everything is fine. An attacker could utilize a technique called blind command injection in this kind of scenario.
A method like a time delay can be extremely helpful in certain situations. You will not receive any response because the page that loads will be blank; nevertheless, it is possible that you could still be able to acquire information about what is stored in a database based on time delays that only load the page if a particular character is present. The manual execution of this operation would take too much time, however, the attack can be automated using a variety of technologies.
Possible outcome of an Attack
Let’s go over everything that was discussed above by looking at an example. Imagine that you have a shopping app that allows the user to check whether or not a product is still available. To gain access to all of this information, let’s use a URL similar to the one below:
example_unsafe_store.com/stockStatus?productID=245&storeID=
Imagine doing something like this: giving the product ID and the store ID as inputs to a shell command like “stockstat.pl 245 38.” This is necessary since the program has to query for old information. In the event that the developer does not take any measure to prevent command injections, a threat actor is able to transmit an input that will execute the intended command:
& echo this_a_harmful_command &
If this entry goes in the productID parameter, the command executed by the application will be:
stockstat.pl & echo this_a_harmful_command & 38
A helpful way for detecting command injections and ensuring that the specified string is included in the output is to use the echo command. This command also ensures that the string is displayed correctly. Since the character “&” is a command separator for the shell, what is actually carried out is the execution of three distinct commands, one after the other. As a direct consequence of this, the following output will be sent back to the user:
Error -productID not found
this_a_harmful_command
38: command not found
In this instance, the command was carried out by the “stockstat.pl” file without the inputs that it anticipated, which is why an error message was generated. After that, the attacker’s echo command that he had inserted ran, at which point the attacker saw the expression that he had entered appear on the screen. The initial parameter, “38,” was processed as a command that caused an error to occur.
How to protect against OS Command Injections Technique
There are a few strategies that can be used to avoid command injection, despite the fact that it is a potent and damaging attack vector. OS command injection attacks have the goal of bringing about the execution of particular operating system commands through the use of an application. You have an obligation to prevent this from occurring. There are some important considerations to make:
- You are responsible for ensuring that everyone who has access to the application is unable to execute code.
- You ought to stop users who have access to the application from sending requests to the server that contain syntactic expressions if at all possible.
- You are going to need to encrypt the phrases that are being requested by everyone who has access.
Let’s go through everything one by one starting with the first item. Whitelisting is a strategy that can be used to block specific codes or requests from being executed by anyone who reaches the application layer. This is an effective solution to the first problem. The code will not be executable for anyone who is not identified by you.
The answer to the second problem is to refuse to acknowledge certain text phrases that are utilized in instructions. The user is restricted to entering only numeric values. If you combine this strategy with the whitelist approach, you will have a system that is significantly more secure.
The third point relates to the encipherment of syntactic characteristics like the character that was typed and the spaces between them. You should be safe against OS command injection as a result of the whitelisting approach, syntactic testing of inputs, and encryption of inputs.
OS Command Injection attacks happened every day and there is a need to protect against them
There are numerous various injection methods, each with its own unique way of attack. Some examples of these methods are OS command, SQL, SSI, and XPath. Attempting to prevent each of them one at a time is not an easy task. It is important to keep in mind that all of these attacks are constantly evolving and taking advantage of small vulnerabilities that developers have overlooked. Because of this, it is necessary for you to constantly keep yourself up to date and closely follow the most recent developments in the field of cybersecurity.
Would you like to read more about OS Command Injection Attacks-related articles? If so, we invite you to take a look at our other tech topics before you leave!