Command injection is an attack aimed at executing arbitrary commands on a host operating system via a vulnerable application
Command injection attack, in which an application sends insecure user-supplied data (e.g., Forms, cookies, HTTP headers, etc.) to a system shell execution command
In this attack, the OS command sent by the attacker can be executed by a vulnerable application to execute arbitrary code. Command injection attacks are mainly caused by insufficient input validation
Command injection attacks differ from code injection in that in code injection, the attacker adds their own code, which is then executed by the application. In command injection, on the other hand, the attacker does not need to insert any code to execute the system command itself.
Example
The following program takes a file name as a command line argument and displays the contents of the file to the user. This program is set to set the permissions with setuid root.
int main(char* argc, char** argv) { char cmd[CMD_MAX] = "/usr/bin/cat "; strcat(cmd, argv[1]); system(cmd); }
Because this program is executed with root privileges, the call to system() is also executed with root privileges. If the user specifies a normal file name, the program will work as expected, but if the attacker passes a string of the form “;rm -rf /”, the call to system() will fail to execute cat due to the lack of arguments, and then recursively delete the contents of the root partition. rm -rf” which will recursively delete the contents of the root partition, will be executed and all the files will be deleted.
Comments