Operating system (OS) command injection attack is a variant of code injection attacks which are considered a major security threat that in fact, is classified as No. 1 on the 2013 OWASP top ten web security risks [1]. There are many types of code injection attacks including:
OS command injection attacks may occur in applications that accept user provided input and execute OS commands using as parameters the received input. They have been discovered in web applications hosted in web servers (Windows or Linux) as well as in web-based management interfaces of networking devices, such as home/office routers, IP cameras, IP PBX applications and network printers. Moreover, command injection vulnerabilities can be found in IoT devices. However, the injected OS commands are usually executed with the same permissions that the application possesses (i.e. root). OS command injection attacks are possible in most cases due to lack of correct input data validation, which can be manipulated by the attacker (web forms, cookies, HTTP headers etc.)
Due to the fact that there are not many tools to automate the process of detecting and exploiting command injection vulnerabilities, in this blog post Commix tool will be used. Commix (a short for [COMM]and [I]njection e[X]ploiter) is an automated tool aiming to facilitate web developers, penetration testers and security researchers to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. It is important to note that the module is capable of performing command injection not only in the HTTP GET / POST parameters, but also in HTTP parameters, such as HTTP cookie, HTTP user-agent and referrer header values. The tool is written in Python (version 2.6. or 2.7) and runs in both Unix/Linux and Windows operating systems. Commix is free to download through the GitHub repository [7]. It is worth mentioning that Commix comes preinstalled in many security-oriented OS’s including the well-known Kali Linux [8], while its capabilities have been presented in the BlackHat Europe 2015 Security Conference (Netherlands, Amsterdam) [9].
The main objective of this article is to examine the detection and exploitation capabilities of Commix against blacklisting techniques. The general idea behind blacklisting is to check for malicious patterns before allowing the execution of users input. More specifically, in the case of OS command injection attack, a blacklist can strip out from the users’ input all “suspicious” characters (i.e. “;”,”|”,”&”, etc.). However, a basic disadvantage of blacklisting, which greatly limits its effectiveness, is that the attacker can discover a variation of the command injection attack vectors not included in the blacklist and, hence, he can launch the attack successfully. In order to be able to get a reliable sample of checks against the most common blacklisting techniques, the Damn Vulnerable Web Application (DVWA) v1.10 [10] was installed on a Debian Linux (3.16.0-4) operating system. DVWA is a free, open source PHP/MySQL web application that supports four different security levels, low, medium, high or impossible. The security level changes the vulnerability level of DVWA:
DVWA also comes with an outdated (v0.6) Web Application Firewall (WAF) called PHPIDS. PHPIDS (PHP-Intrusion Detection System) [11] is a security layer for PHP based web applications. PHPIDS works by filtering any user’s supplied input against a blacklist of potentially malicious code. It is used in DVWA to serve as a live example of how WAFs can help improve security and in some cases how WAFs can be circumvented. At this point it is worth noting that during this research, the latest stable version (v0.7) [12] of PHPIDS was installed in DVWA.
All the experiments were mainly conducted in two separate rounds of checks:
It is summarized below, the detection and exploitation results of the first and the second round of security checks that were conducted against the vulnerable “ip” POST parameter of “/vulnerabilities/exec/” in DVWA against all* supported security levels (from Low to Impossible).
* On both rounds of security checks, in the “Impossible” security level, Commix did not detect any vulnerability (as expected) because this level is not meant to be exploitable.
| RESULTS-BASED | TIME-BASED | FILE-BASED | TEMPFILE-BASED | |
| LOW | PASSED | PASSED | PASSED | PASSED |
| MEDIUM | PASSED | PASSED | PASSED | PASSED |
| HIGH | FAILED | FAILED | PASSED | FAILED |
| IMPOSSIBLE | FAILED | FAILED | FAILED | FAILED |
Table 1: Succeeded command injection attacks with PHPIDS disabled.
| RESULTS-BASED | TIME-BASED | FILE-BASED | TEMPFILE-BASED | |
| LOW | PASSED | FAILED | PASSED | FAILED |
| MEDIUM | PASSED | FAILED | PASSED | FAILED |
| HIGH | FAILED | FAILED | PASSED | FAILED |
| IMPOSSIBLE | FAILED | FAILED | FAILED | FAILED |
Table 2: Succeeded command injection attacks with the PHPIDS enabled.
Lastly it is worth mentioning that, even though the remote command execution protection filter that is used by the PHPIDS v0.7 to prevent remote OS command injection attacks seems quite weak (on this we will refer later) specific characters (i.e “$”, “{“,”}”,”))” etc) which are used in most payloads were detected. After further analysis on that issue it was identified that this happens due to overlays by other irrelevant WAF filters. In order to circumvent this restriction the “–backticks” switch (which uses the backtick (`) instead of the “$()” for command substitution [13]) was used.
As it has been already mentioned, PHPIDS 0.7 does not protect against OS command injection attacks. The filter that is used for protection against this type of attacks is included in the “default_filter.json” and “default_filter.xml” files. More specifically the filter with id “74” checks only for attempts to execute OS commands, such “ping -n 3 127.0.0.1 ”, ping localhost -n 3” etc as presented below:
ping(.*)[\-(.*)\w|\w(.*)\-]Moreover, we came to the point to suggest an additional regular expression for the aforementioned filter in such way all the attempted payloads have failed due to all the symbols used for OS command injection attacks are now being detected and blocked by the newly proposed filter:
(?:[^|;|&|\||\<|\>|`|\$|\(|\)|\{|\}]\W*?\b)Finally, the Table 3 below represents all the failed attempts to detect and exploit OS command injection vulnerabilities against the vulnerable “ip” POST parameter of “vulnerabilities/exec/”, after the new rule has been added.
| RESULTS-BASED | TIME-BASED | FILE-BASED | TEMPFILE-BASED | |
| LOW | FAILED | FAILED | FAILED | FAILED |
| MEDIUM | FAILED | FAILED | FAILED | FAILED |
| HIGH | FAILED | FAILED | FAILED | FAILED |
| IMPOSSIBLE | FAILED | FAILED | FAILED | FAILED |
Table 3: Failed command injection attacks after PHPIDS updated filter
Concluding all the above, this article was mainly focused on the weak blacklisting features, as provided by all security levels of DVWA, combined with the latest stable version of the PHPIDS WAF. Once it was identified that Commix was able to bypass the weak blacklisting filters on each security level (i.e. Low, Medium, and High) with the presence of the latest stable PHPIDS WAF, a new rule (that successfully blocks all the exploitation attempts) was proposed.
[1] https://www.owasp.org/index.php/Code_Injection
[2] https://www.owasp.org/index.php/SQL_Injection
[3] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
[4] https://www.owasp.org/index.php/Command_Injection
[5] https://www.owasp.org/index.php/XPATH_Injection
[6] https://www.owasp.org/index.php/LDAP_injection
[7] https://github.com/commixproject/commix
[8] https://tools.kali.org/exploitation-tools/commix
[9] https://www.blackhat.com/docs/eu-15/materials/eu-15-Stasinopoulos-Commix-Detecting-And-Exploiting-Command-Injection-Flaws.pdf
[10] https://github.com/ethicalhack3r/DVWA
[11] https://github.com/PHPIDS/PHPIDS
[12] https://github.com/PHPIDS/PHPIDS/releases/tag/0.7
[13] http://tldp.org/LDP/abs/html/commandsub.html
