In our previous blog entry we discussed the concept of SQL injection attacks on web sites - there is yet another, just as serious injection attack which can occur at the operating system level - where arbitrary commands are executed on the host operating system. They function in a similar manner, however can perform a lot more damage than the SQL counterpart.
The cause for an OS command injection is failure to sanitise strings that are passed to system level functions such as system or exec - like when requesting information from a third party service or working directly with the file system on your server. Every server administrator should treat this as a high risk exploit and make sure it is handled correctly.
A simple example to clarify how this works in detail:
$host=$_GET['host']; exec('nslookup '.$host, $result); echo $result;
In the above php code, the value stored in the $GET array with the id of host is appended to the nslookup command; when executed on the host operating system, the intention is that the host will be looked up value of returned back to the user. If just a host name is passed, all is fine - but consider the following input that a user could provide to the server:
riotsecure.se; cat /etc/passwd
The user will get more than just information about a specific host; in addition, the contents of the /etc/passwd file would also be displayed to the user. Definitely not what was intended by the developer when the code was written. Such information could be potentially used for further attacks against the server - systems are easier to attack if the accounts are known.
Of course, it is not just limited to simple file commands - so much can be done within a users shell environment, such as modification of files, setting of permissions and even creating crontab entries to schedule activities at a later period in time. A lot of known exploits exist that only require a user on the system - this provides such a gateway to expose them.
Much like the SQL injection case, cheat sheets do exist, showing the possibilities of what you can do if this exploit is available. However; it all depends on the underlying operating system that the server is using, also knowing which applications are accessible from the basic shell.
If you are using php, there are some helper functions in place: escapeshellcmd and escapeshellarg - which and simply sanitise the input removing any command character or instruction separators; either by removing them or converting them to spaces.
These are the characters that can be used inappropriately:
'&', '#', ';', '`', '|', '*', '?', '~', '<', '>', '^', '(', ')', '[', ']', '{', '}', '$', '\', '\x0A' and '\xFF'
Depending on your use-case, it may make sense to roll your own using the above functions as a reference and knowing what the dangers are. It could be as simple as ignoring all information after one of the special characters exist in the input provided - but by all means, test your code!
While most third party vendors will do this for you, it is in your best interest to do a code inspection yourself to verify that OS command injection attacks are handled correctly before rolling your product out to production. The last thing you want is unauthorized access to your precious data or even losing business due to mass loss of data.