CWE
Home > CWE List > CWE-78 Individual Dictionary Definition (Draft 9)   View the CWE List

CWE-78 Individual Dictionary Definition (Draft 9)

Failure to Sanitize Data into an OS Command (aka 'OS Command Injection')
Weakness ID
Status: Incomplete

78 (Weakness Base)

Description

Summary

The software fails to adequately filter OS command syntax from user-controlled input and then allows potentially injected commands to execute within its context. A software system that accepts and executes input in the form of operating system commands (e.g. system(), exec(), open()) could allow an attacker with lesser privileges than the target software to execute commands with the elevated privileges of the executing process. The problem is exacerbated if the compromised process fails to follow the principle of least privilege.

Alternate Terms

Shell injection, shell metacharacters

Functional Area

Program invocation

Affected Resource

System Process

Potential Mitigations

Design: If at all possible, use library calls rather than external processes to recreate the desired functionality

Implementation: Utilize black-list parsing to filter non-relevant OS command syntax from all input.

Implementation: Ensure that all external commands called from the program are statically created, or -- if they must take input from a user -- that the input and final line generated are vigorously white-list checked.

Run time: Run time policy enforcement may be used in a white-list fashion to prevent use of any non-sanctioned commands.

Assign permissions to the software system that prevents the user from accessing/opening privileged files.

Observed Examples
ReferenceDescription
CVE-1999-0067
CVE-2001-1246
CVE-2002-0061
CVE-2003-0041
CVE-2002-1898Shell metacharacters in a telnet:// link (this is a multi-factor vulnerability,
CVE-2007-3572Chain: incomplete blacklist for OS command injection
Context Notes

Fault: unquoted special characters, input restriction error

References

G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.

Relationships
NatureTypeIDName
ChildOfWeakness ClassWeakness ClassWeakness Class77Failure to Sanitize Data into a Control Plane (aka 'Command Injection')
CanAlsoBeWeakness BaseWeakness BaseWeakness Base88Argument Injection or Modification
ChildOfViewView629
ChildOfViewView630
ChildOfCategoryCategory634Weaknesses that Affect System Processes
ChildOfViewView635
CanFollowWeakness BaseWeakness BaseWeakness Base184Incomplete Blacklist
Source Taxonomies

PLOVER - OS Command Injection

Applicable Platforms

All

Related Attack Patterns
CAPEC-IDAttack Pattern Name
88OS Command Injection
15Command Delimiters
6Argument Injection
43Exploiting Multiple Input Interpretation Layers
White Box Definition


A weakness where the code path has:
1.        start statement that accepts input
2.        end statement that executes an operating system command where
          a.        the input is used as a part of the operating system command
          b.        the privilege of the operating system command is higher than privilege of the input and
          c.        the operating system command is undesirable

Where “undesirable” is defined through the following scenarios:
1.        not validated
2.        incorrectly validated

Back to top
Page Last Updated: April 22, 2008
 

CWE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is hosted by The MITRE Corporation.
Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us