Skip to main content

OS Command Injection

Need

Prevention of OS command injection attacks

Context

  • Usage of PHP for server-side scripting and web development
  • Usage of PHP for server-side scripting and web development

Description

Non compliant code

<?php
$command = $_GET['cmd'];
system($command);
?>

This is a simple example of a PHP script that is vulnerable to OS command injection. The script takes a parameter 'cmd' from the GET request and passes it directly to the system() function, which executes the command on the server's operating system.

The system() function in PHP is used to execute an external program and display the output. It takes a string argument which is the command to be executed.

In this script, the command string is coming directly from user input ($_GET['cmd']) without any sanitization or validation. This means an attacker could pass in any command they want to be executed on the server. For example, they could pass in a command to delete all files on the server, or to download and execute a malicious script.

This is a serious vulnerability because it allows an attacker to perform any action they want on the server, potentially leading to complete system compromise. It's also a relatively easy vulnerability to exploit, as it just requires the attacker to modify the 'cmd' parameter in the GET request.

Steps

  • Validate and sanitize user input: Never trust user input, it's a common rule in web development. Use a whitelist of allowed characters, or a blacklist of disallowed characters in the input, and reject input that contains disallowed characters.
  • Use built-in functions: Instead of using system functions that execute shell commands, use built-in PHP functions whenever possible. These functions are safer as they do not allow command injection.
  • Use parameterized functions: If you must use system functions, use parameterized functions or prepared statements. These functions separate the command from the data, which prevents the data from being interpreted as a command.
  • Limit permissions: Run your application with the least privileges necessary. This can limit the damage that can be done if an injection attack occurs.
  • Implement a web application firewall (WAF): A WAF can help to filter out malicious data and protect your application from various attacks, including command injection attacks.

Compliant code

<?php
if(isset($_GET['cmd'])){
    $command = escapeshellarg($_GET['cmd']);
    $allowed_commands = ['ls', 'date', 'whoami']; // whitelist of allowed commands
    if(in_array($command, $allowed_commands)){
        system($command);
    } else {
        echo "Command not allowed.";
    }
} else {
    echo "No command provided.";
}
?>

The above code is a fixed version of the previously vulnerable PHP script. The vulnerability was an OS Command Injection, which allowed the execution of arbitrary commands on the system with non-sanitized parameters. This could have allowed an attacker to inject malicious commands into the server, escalating privileges, and potentially obtaining or modifying sensitive information stored on the machine.

The fixed code includes several security measures to prevent such an attack:

  1. Input Validation and Sanitization: The escapeshellarg() function is used to sanitize the user input. This function adds single quotes around a string and escapes any existing single quotes, allowing the string to be safely used as a shell argument.

  2. Command Whitelisting: A whitelist of allowed commands ($allowed_commands) is defined. If the user-provided command is not in this list, the script will not execute the command and will output an error message. This ensures that only safe, predefined commands can be executed.

  3. Error Handling: If no command is provided, the script will output an error message. This is a good practice for handling unexpected or incorrect user input.

  4. Least Privilege: Although not shown in the code, it is recommended to run your application with the least privileges necessary. This can limit the damage that can be done if an injection attack occurs.

  5. Web Application Firewall (WAF): Although not shown in the code, it is recommended to implement a WAF to help filter out malicious data and protect your application from various attacks, including command injection attacks.

By implementing these measures, the script is now protected against OS Command Injection attacks.

References

Last updated on