AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

OS Command Injection

The attacker can inject unauthorized partial OS commands and run commands on the target operating system which leads to information disclosure or total system ownage

Severity

Critical

Fix Cost

Low

Trust Level

High

Rarely applications have the requirement of interacting with the Operating System they run on. In order to cater this requirement, programming languages provide APIs for OS communications.

Let the backend code is similar to the following snippet;

                            
Process.Start("cmd.exe", "/C ping.exe " + Request["host"]);
                 
            

The above code executes a ping against the provided untrusted host value given by the user.

Every injection attack occurs because of mixing code and untrusted data in the code. As developers, we are rarely provided secure APIs in order to keep these two information (code and data) apart, until the runtime. In the above code, mixing the data, as name coming from the user, and code, as the partial command argument in the program, result in OS Command Injection. The attacker can potentially manipulate the command arguments and access the system that he can’t access otherwise.

For example, by sending 127.0.0.1 && dir C:\ as Request["host"], the attacker may execute an extra, unauthorized OS command and list the contents of the C:\ drive that he can’t access otherwise.

Rarely applications have the requirement of interacting with the Operating System they run on. In order to cater this requirement, programming languages provide APIs for OS communications.

Let the backend code is similar to the following snippet

            
Runtime runtime = Runtime.getRuntime();
runtime.exec("cmd.exe /C ping.exe " + request.getParameter("host"));
                
            

The above code executes a ping against the provided untrusted host value given by the user.

Every injection attack occurs because of mixing code and untrusted data in the code. As developers, we are rarely provided secure APIs in order to keep these two information (code and data) apart, until the runtime. In the above code, mixing the data, as name coming from the user, and code, as the partial command argument in the program, result in OS Command Injection. The attacker can potentially manipulate the command arguments and access the system that he can’t access otherwise.

For example, by sending 127.0.0.1 && dir C:\ as request.getParameter("host"), the attacker may execute an extra, unauthorized OS command and list the contents of the C:\ drive that he can’t access otherwise.

Rarely applications have the requirement of interacting with the Operating System they run on. In order to cater this requirement, programming languages provide APIs for OS communications.

Let the backend code is similar to the following snippet;

                
button.setOnClickListener(new View.OnClickListener() {
public void onClick(View v) {
TextView tv =  ((TextView)findViewById(R.id.editText1));
           	 
if (install(tv.getText().toString()) > 0)
Toast.makeText(v.getContext(), "App installed", Toast.LENGTH_LONG).show();
else
Toast.makeText(v.getContext(), "App not installed", Toast.LENGTH_LONG).show();   	 
}
});

public int install(String path)
{
Process install = Runtime.getRuntime().exec("adb shell pm install -r " + path);
return install.waitFor();
}
                
            

The above code tries to install a trusted APK silently having the certificate signed for itself from the device manufacturer.

Every injection attack occurs because of mixing code and untrusted data in the code. As developers, we are rarely provided secure APIs in order to keep these two information (code and data) apart, until the runtime. In the above code, mixing the data, as name coming from the user, and code, as the partial command argument in the program, result in OS Command Injection. The attacker can potentially manipulate the command arguments and access the system that he can’t access otherwise.

For example, by sending a path to an APK downloaded to an external storage, the attacker may install an unauthorized application on the device that he can’t pull otherwise. Or the attacker may execute an extra, unauthorized OS command and list the contents of the current application directory that he can’t access otherwise.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!