In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.

How does a OS Command Injection attack work?

It typically unfolds over 4 phases. It begins with: [Identify inputs for OS commands] The attacker determines user controllable input that gets passed as part of a command to the underlying operating system.

How do you prevent CAPEC-88?

Use language APIs rather than relying on passing data to the operating system shell or command line. Doing so ensures that the available protection mechanisms in the language are intact and applicable.

What weaknesses does CAPEC-88 target?

CAPEC-88 exploits 4 CWE weaknesses, including CWE-20 (Improper Input Validation), CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')), CWE-88 (Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')), CWE-697 (Incorrect Comparison).

How severe is CAPEC-88?

MITRE rates CAPEC-88 as High severity with high likelihood of attack.

CAPEC-88: OS Command Injection

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
[Identify inputs for OS commands] The attacker determines user controllable input that gets passed as part of a command to the underlying operating system.
- Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
- TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system.
- Induce errors to find informative error messages
Step 2
Explore
[Survey the Application] The attacker surveys the target application, possibly as a valid and authenticated user
- Spidering web sites for all available links
- Inventory all application inputs
Step 3
Experiment
[Vary inputs, looking for malicious results.] Depending on whether the application being exploited is a remote or local one the attacker crafts the appropriate malicious input, containing OS commands, to be passed to the application
- Inject command delimiters using network packet injection tools (netcat, nemesis, etc.)
- Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.)
Step 4
Exploit
[Execute malicious commands] The attacker may steal information, install a back door access mechanism, elevate privileges or compromise the system in some other way.
- The attacker executes a command that stores sensitive information into a location where they can retrieve it later (perhaps using a different command injection).

How the attack works

CAPEC-88: OS Command Injection

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Consequences

How to mitigate it

Examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-88?

How does a OS Command Injection attack work?

How do you prevent CAPEC-88?

What weaknesses does CAPEC-88 target?

How severe is CAPEC-88?

References

Defend against CAPEC-88

How the attack works

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Consequences

How to mitigate it

Examples

Related weaknesses

Related attack patterns

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-88?

How does a OS Command Injection attack work?

How do you prevent CAPEC-88?

What weaknesses does CAPEC-88 target?

How severe is CAPEC-88?

References

Defend against CAPEC-88