CWE
Home > CWE List > CWE-77 Individual Dictionary Definition (Draft 9)   View the CWE List

CWE-77 Individual Dictionary Definition (Draft 9)

Failure to Sanitize Data into a Control Plane (aka 'Command Injection')
Weakness ID
Status: Draft

77 (Weakness Class)

Description

Summary

The software fails to adequately filter command (control plane) syntax from user-controlled input (data plane) and then allows potentially injected commands to execute within its context.

Likelihood of Exploit

Very High

Weakness Ordinality

Primary (Weakness exists independent of other weaknesses)

Causal Nature

Explicit (This is an explicit weakness resulting from behavior of the developer)

Common Consequences

Access control: Command injection allows for the execution of arbitrary commands and code by the attacker.

Potential Mitigations

Design: If at all possible, use library calls rather than external processes to recreate the desired functionality

Implementation: Utilize black-list parsing to filter non-relevant command syntax from all input.

Implementation: Ensure that all external commands called from the program are statically created, or -- if they must take input from a user -- that the input and final line generated are vigorously white-list checked.

Run time: Run time policy enforcement may be used in a white-list fashion to prevent use of any non-sanctioned commands.

Assign permissions to the software system that prevents the user from accessing/opening privileged files.

Demonstrative
Examples

The following simple program accepts a filename as a command line argument and displays the contents of the file back to the user. The program is installed setuid root because it is intended for use as a learning tool to allow system administrators in-training to inspect privileged system files without giving them the ability to modify them or damage the system.

int main(char* argc, char** argv) {
  char cmd[CMD_MAX] = "/usr/bin/cat ";
  strcat(cmd, argv[1]);
  system(cmd);
}

Because the program runs with root privileges, the call to system() also executes with root privileges. If a user specifies a standard filename, the call works as expected. However, if an attacker passes a string of the form ";rm -rf /", then the call to system() fails to execute cat due to a lack of arguments and then plows on to recursively delete the contents of the root partition.


The following code is from an administrative web application designed allow users to kick off a backup of an Oracle database using a batch-file wrapper around the rman utility and then run a cleanup.bat script to delete some temporary files. The script rmanDB.bat accepts a single command line parameter, which specifies what type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.

...
String btype = request.getParameter("backuptype");
String cmd = new String("cmd.exe /K
\"c:\\util\\rmanDB.bat "+btype+"&&c:\\utl\\cleanup.bat\"")
System.Runtime.getRuntime().exec(cmd);
...

The problem here is that the program does not do any validation on the backuptype parameter read from the user. Typically the Runtime.exec() function will not execute multiple commands, but in this case the program first runs the cmd.exe shell in order to run multiple commands with a single call to Runtime.exec(). Once the shell is invoked, it will happily execute multiple commands separated by two ampersands. If an attacker passes a string of the form "& del c:\\dbms\\*.*", then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.


The following code from a system utility uses the system property APPHOME to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.

...
String home = System.getProperty("APPHOME");
String cmd = home + INITCMD;
java.lang.Runtime.getRuntime().exec(cmd);
...

The code above allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME to point to a different path containing a malicious version of INITCMD. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME, then they can fool the application into running malicious code and take control of the system.


The following code is from a web application that allows users access to an interface through which they can update their password on the system. Part of the process for updating passwords in certain network environments is to run a make command in the /var/yp directory, the code for which is shown below.

...
System.Runtime.getRuntime().exec("make");
...

The problem here is that the program does not specify an absolute path for make and fails to clean its environment prior to executing the call to Runtime.exec(). If an attacker can modify the $PATH variable to point to a malicious binary called make and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make will now be run with these privileges, possibly giving the attacker complete control of the system.


The following code is a wrapper around the UNIX command cat which prints the contents of a file to standard out. It is also injectable:

C Example:

#include <stdio.h>
#include <unistd.h>

int main(int argc, char **argv) {
  char cat[] = "cat ";    
  char *command;    
  size_t commandLength;    

  commandLength = strlen(cat) + strlen(argv[1]) + 1;    
  command = (char *) malloc(commandLength);    
  strncpy(command, cat, commandLength);    
  strncat(command, argv[1], (commandLength - strlen(cat)) );
  
  system(command);    
  return (0);
}

Used normally, the output is simply the contents of the file requested: $ ./catWrapper Story.txt When last we left our heroes... However, if we add a semicolon and another command to the end of this line, the command is executed by catWrapper with no complaint: $ ./catWrapper Story.txt; ls When last we left our heroes... Story.txt doubFree.c nullpointer.c unstosig.c www* a.out* format.c strlen.c useFree* catWrapper* misnull.c strlength.c useFree.c commandinjection.c nodefault.c trunc.c writeWhatWhere.c If catWrapper had been set to have a higher privilege level than the standard user, arbitrary commands could be executed with that higher privilege.

Context Notes

Command injection is a common problem with wrapper programs. Often, parts of the command to be run are controllable by the end user. If a malicious user injects a character (such as a semi-colon) that delimits the end of one command and the beginning of another, he may then be able to insert an entirely new and unrelated command to do whatever he pleases. The most effective way to deter such an attack is to ensure that the input provided by the user adheres to strict rules as to what characters are acceptable. As always, white-list style checking is far preferable to black-list style checking.

Dynamically generating operating system commands that include user input as parameters can lead to command injection attacks. An attacker can insert operating system commands or modifiers in the user input that can cause the request to behave in an unsafe manner. Such vulnerabilities can be very dangerous and lead to data and system compromise. If no validation of the parameter to the exec command exists, an attacker can execute any command on the system the application has the privilege to access.

Command injection vulnerabilities take two forms: * An attacker can change the command that the program executes: the attacker explicitly controls what the command is. * An attacker can change the environment in which the command executes: the attacker implicitly controls what the command means. In this case we are primarily concerned with the first scenario, in which an attacker explicitly controls the command that is executed. Command injection vulnerabilities of this type occur when: 1. Data enters the application from an untrusted source. 2. The data is part of a string that is executed as a command by the application. 3. By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have.

References

G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.

Relationships
NatureTypeIDName
ChildOfWeakness ClassWeakness ClassWeakness Class74Failure to Sanitize Data into a Different Plane (aka 'Injection')
ChildOfViewView629
ParentOfWeakness BaseWeakness BaseWeakness Base624Executable Regular Expression Error
ParentOfWeakness BaseWeakness BaseWeakness Base78Failure to Sanitize Data into an OS Command (aka 'OS Command Injection')
Source Taxonomies

7 Pernicious Kingdoms - Command Injection

CLASP - Command injection

Applicable Platforms

All

Related Attack Patterns
CAPEC-IDAttack Pattern Name
11Cause Web Server Misclassification
75Manipulating Writeable Configuration Files
76Manipulating Input to File System Calls
23File System Function Injection, Content Based
15Command Delimiters
6Argument Injection
43Exploiting Multiple Input Interpretation Layers
Page Last Updated: April 22, 2008