Command Injection

CAPEC 88
CWE 78
PCI 3.2-6.5.1
WASC 31
OWASP 2017-A1

Command Injection is a critical vulnerability that occurs when an application passes unsafe user-supplied data to a system shell or operating system command interpreter. This flaw allows an attacker to execute arbitrary system commands on the host operating system through the vulnerable application. The commands are executed with the same privileges as the running application, often resulting in full compromise of the affected system.

Command Injection attacks differ from Code Injection in that the attacker’s payload targets the operating system command line, not the application’s internal language interpreter. In this case, the injected input is treated as part of a shell command (e.g., /bin/sh, cmd.exe, powershell) and can chain multiple commands or alter command parameters.

Common vulnerable scenarios include:

Applications invoking system utilities via APIs such as system(), exec(), Runtime.getRuntime().exec(), popen(), or Process.Start().
Unsanitized input passed into shell commands for file handling, network utilities, or diagnostic functions.
Use of input values to build command strings dynamically (e.g., ping, cat, grep, tar, or curl operations).
Web frameworks, plugins, or scripts that rely on OS-level processes to perform tasks like compression, conversion, or network scanning.

Example of unsafe code:

// C# Example
var result = Process.Start("ping " + userInput);

If the user provides input like 127.0.0.1 && del C:\Windows\System32, it can lead to destructive command execution.

Typical impacts:

Complete compromise of the underlying server operating system
Unauthorized access to sensitive files or credentials
Service disruption or data destruction
Lateral movement across internal systems
Persistent malware or shell installation

Root causes include:

Direct concatenation of unvalidated input into command-line strings
Lack of input validation and context-aware escaping
Overuse of OS utilities instead of safe library functions
Poor privilege management or sandboxing

Remediation

To eliminate Command Injection vulnerabilities, applications should never trust user-supplied data for system command execution.

Avoid Shell Invocation
The most effective mitigation is to avoid calling the system shell entirely. Use built-in library functions or APIs instead of invoking external processes.

Parameterization and Safe APIs
When shell execution is unavoidable, pass arguments as separate parameters rather than string concatenation.

// C# safe example (arguments passed separately)
var proc = new Process();
proc.StartInfo.FileName = "ping";
proc.StartInfo.Arguments = userInput; // validate separately
proc.Start();

Input Validation (Whitelisting)
Validate inputs against a strict whitelist of acceptable patterns such as IP addresses, filenames, or numeric values. Disallow shell metacharacters like &, |, ;, $, <, >, and backticks.
Output Encoding and Escaping
If user input must appear in a command, escape special characters according to OS-specific rules. Use this only as a secondary measure.
Principle of Least Privilege
Run applications with the minimum required privileges to limit the impact of potential exploitation.
Disable Unnecessary Functionality
Disable access to dangerous system utilities and interpreters. Use OS-level controls (AppArmor, SELinux) to restrict process execution.
Error Handling and Logging
Avoid exposing command execution errors to users. Log command invocations securely for monitoring and auditing.
Input Normalization
Normalize inputs before validation to eliminate hidden encodings (e.g., Unicode or escaped sequences).
Defense in Depth
Use WAFs, IDS, and system monitoring tools to detect abnormal command execution behavior.
Testing and Review
Conduct code reviews, static analysis, and penetration testing to identify injection flaws in development and production environments.

References

Go Back to List

Search Vulnerability