DefenseCode

Command Execution

Risk type:HIGH

Description:

When a web application does not properly sanitize user-supplied input before using it within application code, it may be possible to trick the application into executing operating system commands. Commands will run with permissions of the component that executes the command.

Example:

Java programming language provides Runtime class allowing the application to interface with the enviroment in which the application is running:

public string cmdExecution(String id){
Runtime rt = Runtime.getRuntime();
rt.exec("Program.exe" + " -ID " + id);
}

Since the first item to be called, Program.exe, is an application which parses the arguments, interprets them and further calls other external applications, it is possible for the attacker to call external programs. Application Program.exe interprets "&&" string as boundary for chaining multiple commands.

So, if the attacker provides the value "3c8f2a && ping http://www.victim.com" for an id, he may also run the ping command on the target machine with the privileges of the user running the vulnerable application.

Mitigation:

  • Blacklisting forbidden character sequences.
  • Whitelisting allowed character sequences.
  • Restricting permissions on operating system commands.
  • Filtering out command directory names.