Sunday, 8 July 2012

Command Injection

In addition to cross-site scripting attacks, there is also command injection.

This attack leverages the same attack vector as XSS, but uses it to send operating system commands along with user input in an attempt to get the system to run them. These commands typically run with the same privileges as the web server, which is why running the web server as root on a Unix/Linux system or with SYSTEM privileges on a Windows system is very risky. Running the web server with limited privileges does not fully mitigate command injection vulnerabilities.

When testing for command injection, ping is a very useful command to use for many reasons:

  • Most operating systems have it by default
  • Runs with limited privileges
  • Many networks allow outbound ICMP Echo
  • Unlikely to damage the system
  • Will most likely not be noticed
  • The command is relatively short: “ping [ip address]” which helps if the buffer is limited
  • Verifies outbound connectivity back to the attacker
  • Validates command execution if the attacker cannot see the output of the commands

With respect to the last point above, the application involved may not print out the results of the commands in its response to the command injection. By injecting the ping command and using the attacker system’s IP address as its target, the attacker can verify that the command has been executed by watching for inbound ICMP echo requests to the system. This is called ‘Blind Injection’.

The ping command does have a drawback. On a Unix/Linux system the command “ping [ip address]” will ping continuously until it is killed or the system reboots. This can leave many processes running on the target system. Using the “-c [N]” command line option will limit the number of pings sent. Windows by default sends 3 pings and exits, but can be instructed to send any number of pings using “-n [N]”.

The “killall ping” command may also work, but caution must be used. On Linux, “killall” will kill processes based on name.

NOTE: on a Solaris system it will kill all processes and force a reboot of the system.

1 comment:

Sheri Fresonke Harper said...

Never used the ping command in this manner, but I could see why continual processing would not be helpful.