This document discusses command injection attacks, which occur when unsafe user input is passed to system commands. Command injection allows attackers to execute arbitrary commands on the system. The document provides examples like vulnerabilities in Nvidia software and an insurance company's website. It explains that command injection is possible due to directly calling OS commands or improper sanitization of user input. The document also lists common targets like web apps, routers, printers that are vulnerable, and recommends input validation and escaping values to prevent command injection.

1. Command Injection
--Komal Armarkar

2. Whoami
Komal Armarkar
- Linux Lover
- Independent Security Enthusiast
- Interested in Secure Development
Follow me on: https://twitter.com/n0th1n3_00X/
Email: komal.armarkar@gmail.com

4. Injection attacks are of various types :
1) OS Command Injection
2) SQL Injection
3) LDAP Injection
4) Content Injection
………. Many More……….
But, for today we’ll be looking at OS COMMAND INJECTION

5. Impact Example 1 : Nvidia GeForce Experience ( API below 3.19 )
https://rhinosecuritylabs.com/application-security/nvidia-rce-cve-2019-5678/

6. 1
World’s largest
coral reef system
2
Can be seenfrom
outer space
3 Located in
Queensland, AU

7. Impact Example 2 : LocalTapiola company - Insurance and Investment firm from Finland
Website : https://toimitilat.lahitapiola.fi ( bug resolved in Feb 2018 )
https://hackerone.com/reports/303061

9. What is result of such loopholes ?
1) Loss of data
2) Disclosure / modification of data
3) Can lead to taking control of server or infrastructure.
4) Compromise of database or entire systems

10. SO, what’s the root cause ?

11. Why OS COMMAND INJECTION is possible ?
● This attack is possible when an application passes unsafe user supplied data(i.e
forms, cookies, HTTP headers etc) to a system shell.
● It is also caused due to improper calling of external programs.
● The attacker-supplied OS commands are usually executed with the same
privileges of the vulnerable application.

12. Command injection attacks are
● OS-independent
● They are also programming language-independent, may occur in applications
written in programming languages: C, C++, C#, JAVA, PHP, Perl, Python, Ruby
etc...
● Applications written in Frameworks: ASP.NET, CGI, Python Django, JS
Frameworks, Ruby on Rails etc...

14. 1. Web Applications(i.e IBM, Sophos, Symantec, LanDesk, Cacti, SquirrelMail, ....)
2.ADSL SOHO routers(i.eD-Link, TP-Link, Linksys, ....)
3.IP Cameras(i.e TP-Link, D-Link, Vivotek, Zero-IP, ...)
4.Network Printers(i.e Xerox, ...)
5.IP PBX Applications(i.e Asterisk PBX, FreePBX, ...)
6.Applications in Embedded Devices(Raspberry PI/ Arduino)

15. LAB
COMMIX-TESTBED

16. Mitigations

17. 1) The primary defense is to avoid calling OS commands directly. Built-in library
functions are a very good alternative to OS Commands, and they cannot be
manipulated to perform tasks other than those it is intended to do.
If there are available libraries or APIs for the language you used, this is the
preferred method.
2) Escape values added to OS commands specific to each OS :
Use function like escapeshellarg() or escapeshellcmd() in PHP.
For Example :
escapeshellcmd() escapes any characters in a string that might be used to trick a shell command into
executing arbitrary commands. This function should be used to make sure that any data coming from
user input is escaped before this data is passed to the exec() or system() functions, or to the backtick
operator. Following characters are preceded by a backslash: &#;`|*?~<>^()[]{}$, x0A and xFF. ' and "
are escaped only if they are not paired. In Windows, all these characters plus % and ! are replaced by a
space instead.

18. 3) Parametrization with Input Validation :
1. Use structured mechanisms that automatically enforce the separation between
data and command
2. Along with the separation of data and command, input validation must done in
the following way :
● Commands validated against a whitelist of allowed commands
● Ensure that metacharacters like ( & | ; $ > < ` ! ) and whitespaces are not
part of Whitelisted Regular Expression

19. References
Real Life Scenario Links used :
1) GEForce Experience :
https://rhinosecuritylabs.com/application-security/nvidia-rce-cve-2019-5678/
2) Lahitapiola (A big Insurance and Investment firm from Finland) :
https://hackerone.com/reports/303061
Reason for Command Injection reference :
https://www.owasp.org/index.php/Reviewing_Code_for_OS_Injection
http://projects.webappsec.org/w/page/13246950/OS%20Commanding
Mitigations link :
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/OS_Command_Injection_Defense_C
heat_Sheet.md

20. References Extended
Misc :
https://www.blackhat.com/docs/eu-15/materials/eu-15-Stasinopoulos-Commix-Detecting-And-Exploiting-Com
mand-Injection-Flaws.pdf
https://www.youtube.com/watch?v=_26Ubh27MUY&t=2126s
https://www.oreilly.com/library/view/securing-node-applications/9781491982426/ch01.html
https://www.acunetix.com/websitesecurity/introduction-web-shells/
https://www.sjoerdlangkemper.nl/2019/07/03/command-injection-on-commonaccord/
Commix-textbed Lab :
https://github.com/commixproject/commix-testbed/
https://github.com/commixproject/commix-testbed/tree/master/scenarios

21. Thank you :)