Name |
Command Delimiters |
|
Likelyhood of attack |
Typical severity |
High |
High |
|
Summary |
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on. |
Prerequisites |
Software's input validation or filtering must not detect and block presence of additional malicious command. |
Execution Flow |
Step |
Phase |
Description |
Techniques |
1 |
Explore |
[Assess Target Runtime Environment] In situations where the runtime environment is not implicitly known, the attacker makes connections to the target system and tries to determine the system's runtime environment. Knowing the environment is vital to choosing the correct delimiters. |
- Port mapping using network connection-based software (e.g., nmap, nessus, etc.)
- Port mapping by exploring the operating system (netstat, sockstat, etc.)
- TCP/IP Fingerprinting
- Induce errors to find informative error messages
|
2 |
Explore |
[Survey the Application] The attacker surveys the target application, possibly as a valid and authenticated user |
- Spidering web sites for all available links
- Inventory all application inputs
|
3 |
Experiment |
[Attempt delimiters in inputs] The attacker systematically attempts variations of delimiters on known inputs, observing the application's response each time. |
- Inject command delimiters using network packet injection tools (netcat, nemesis, etc.)
- Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.)
- Enter command delimiters directly in input fields.
|
4 |
Exploit |
[Use malicious command delimiters] The attacker uses combinations of payload and carefully placed command delimiters to attack the software. |
|
|
Solutions | Design: Perform allowlist validation against a positive specification for command length, type, and parameters. Design: Limit program privileges, so if commands circumvent program input validation or filter routines then commands do not running under a privileged account Implementation: Perform input validation for all remote content. Implementation: Use type conversions such as JDBC prepared statements. |
Related Weaknesses |
CWE ID
|
Description
|
CWE-77 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') |
CWE-78 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
CWE-93 |
Improper Neutralization of CRLF Sequences ('CRLF Injection') |
CWE-138 |
Improper Neutralization of Special Elements |
CWE-140 |
Improper Neutralization of Delimiters |
CWE-146 |
Improper Neutralization of Expression/Command Delimiters |
CWE-154 |
Improper Neutralization of Variable Name Delimiters |
CWE-157 |
Failure to Sanitize Paired Delimiters |
CWE-184 |
Incomplete List of Disallowed Inputs |
CWE-185 |
Incorrect Regular Expression |
CWE-697 |
Incorrect Comparison |
CWE-713 |
OWASP Top Ten 2007 Category A2 - Injection Flaws |
|
Related CAPECS |
CAPEC ID
|
Description
|
CAPEC-137 |
An adversary manipulates the content of request parameters for the purpose of undermining the security of the target. Some parameter encodings use text characters as separators. For example, parameters in a HTTP GET message are encoded as name-value pairs separated by an ampersand (&). If an attacker can supply text strings that are used to fill in these parameters, then they can inject special characters used in the encoding scheme to add or modify parameters. For example, if user input is fed directly into an HTTP GET request and the user provides the value "myInput&new_param=myValue", then the input parameter is set to myInput, but a new parameter (new_param) is also added with a value of myValue. This can significantly change the meaning of the query that is processed by the server. Any encoding scheme where parameters are identified and separated by text characters is potentially vulnerable to this attack - the HTTP GET encoding used above is just one example. |
|