Vulnerability: Command Injection

• Many vulnerabilities that your team will create are of the type
Command injection.
– If you use c/c++, then buffer overflow can be a bigger problem
• Command injection: A vulnerability that allows an attacker to
execute arbitrary instructions in your server
• Examples
– Moving user uploaded files
• i.e., System commands
– SQL Injection
– Cross-site scripting
• Covered in Web security class
• In all cases: a string is being misinterpreted as an instruction.
You need to be sure that sure misinterpretation is never
possible.
 Command Injection: E.g., Moving User Uploaded Files

• Scenario: The user uploads pictures. Older pictures are moved to an archive
system
• Details: The picture is moved with the following command
– mv FILENAME /archive/FILENAME
• Command line
– os.system(“mv “+filename+” ./archive/”+filename)
• Python
• Vulnerability: filename = “/var/log /var/log; rm *.*;”
– Result:
– os.system(“mv /var/log /var/log; rm *.*; /archive/var/log /var/log; rm *.*;”)
• /var/log is copied (doesn’t matter here)
• “;” separates two commands, the mv from the next one
• “rm *.*” deletes everything. But this command can be anything, like move all other users’ pictures to my folder
• Underlying problem: the variable “filename” is controlled by the user and is an
instruction, not a string.
• General problem: a string of text that the user can control is being interpreted as
a command
 Command Injection

• When moving, copying, deleting files, use the language commands

– don’t use os.system(“mv “+filename+” /archive/”+filename)
– Use: os.rename(filename, /archive/”+filename)

• Use better versions of os.system() that allow you to specify the command
arguments
– Consider: mv filename destFileName
• One command and 2 arguments
– subprocess.Popen(command, args)
• Note that is makes is clear that args are strings and will never be interpreted as commands!

• Or even
– Instead of os. system(user_command)
– If user_command == “run this”:
• os.system(“run this”)
– elif user_command == “run that”:
• os.system(“run that”)
– Else:
• raise (“unknown command”)
 Command Injection

• Or even
– Instead of os. system(user_command)
– If user_command == “run this”:
• os.system(“run this”)
– elif user_command == “run that”:
• os.system(“run that”)
– Else:
• raise (“unknown command”)

• Or perhaps
– Ensure that any user string is not part of a command
– Suppose the file name is like energyData20200201.zip
• where 20200201 is the date
– Parse file name
• Name: “energyData” // static string
• Date: new Date(‘2020-02-01’) // this is an object of type Date, not a string
– mv Name+Date.toString()+”.zip archive/”+Name+Date.toString()+”.zip”

• These will pass static analysis

– We discuss static analysis later
 SQL Injection “Student: ‘wow Stephan, you saved my life’”

• SQL: For reading, write, and manipulating data in tables

Table name

student_list

name Hw1 grade Exam grade

Table row Sam 100% A+

Bob 100% A+
 SQL

• SQL: For reading, write, and manipulating data in tables

• SQL Commands are called queries
• E.g., queries
– SELECT count(*) FROM student_list
• Returns 2 because there are two rows in the table

student_list

name Hw1 grade Exam grade

Sam 100% A+
Bob 100% A+
 SQL

• SQL: For reading, write, and manipulating data in tables

• SQL Commands are called queries
• E.g., queries
– SELECT count(*) FROM student_list
– INSERT INTO student_list(name) VALUES (‘Stephan’)
• Adds the row name = ‘Stephan’

student_list

name Hw1 grade Exam grade

Sam 100% A+
Bob 100% A+
Stephan
 SQL

• SQL: For reading, write, and manipulating data in tables

• SQL Commands are called queries
• E.g., queries
– SELECT count(*) FROM student_list
– INSERT INTO student_list(name) VALUES (‘Stephan’)
– DELETE FROM student_list WHERE name = ‘Stephan’
• Deletes the row where name==‘Stephan’

student_list

name Hw1 grade Exam grade

Sam 100% A+
Bob 100% A+
 SQL

• SQL: For reading, write, and manipulating data in tables

• SQL Commands are called queries
• E.g., queries
– SELECT count(*) FROM student_list
– INSERT INTO student_list(student) VALUES (‘Stephan’)
– DELETE FROM student_list WHERE student = ‘Stephan’
– DROP TABLE student_list

student_list

name Hw1 grade Exam grade

Sam 100% A+
Bob 100% A+
 SQL

• SQL: For reading, write, and manipulating data in tables

• SQL Commands are called queries
• E.g., queries
– SELECT count(*) FROM student_list
– INSERT INTO student_list(student) VALUES (‘Stephan’)
– DELETE FROM student_list WHERE student = ‘Stephan’
– DROP TABLE student_list
– -- is a comment
• SELECT count(*) FROM student_list -- getting the number of students
 My Vulnerable Program
• Program Objective: Get student’s name and add it to the Cybersecurity table
• Steps: student_list
1. Allow student to enter their name
2. Add student to database table
• Details name Hw1 grade Exam grade
Samname: ")
– name = input("Enter your 100% A+
– string = “INSERT INTO Bob 100% (‘“+name+”’)” A+
student_list(name) VALUES
– db.execute(string) Stephan
• Example
– name = “Stephan”
– Instruction to build:
• string = “INSERT INTO student_list(name) VALUES (‘“ + ”Stephan” + ”’)”
– string = “INSERT INTO student_list(name) VALUES (‘Stephan’)”
– db.execute(string)
• Puts ‘Stephan’ into the student_list table
 SQL Injection
• Details
– name = input("Enter your name: ")
– string = “INSERT INTO student_list(name) VALUES (‘“+name+”’)”
– db.execute(string)
• Normal Example
– name = “Stephan”
– Instruction to build string = “INSERT INTO student_list(name) VALUES (‘“ + ”Stephan” + ”’)”
– string = “INSERT INTO student_list(name) VALUES (‘Stephan’)”
– db.execute(string)
• Attack Example
– name = “Stephan’); DROP TABLE students_list; --”
– Instruction to build string =
• “INSERT INTO student_list(name) VALUES (‘“ + ”Stephan’); DROP TABLE students; --” + ”’)”
– string = “INSERT INTO student_list(name) VALUES (‘Stephan’); DROP TABLE student_list; --’)”
– db.execute(string)
• Puts ‘Stephan’ into the student_list table
• Drops the student_list
 SQL Injection

• My Program:
– Enter student name: ?
– Get user name, variable userName and add to DB
– INSERT (class_name, student) VALUES (‘Cybersecurity’, username)
– string = “INSERT (class_name, student) VALUES (‘Cybersecurity’, ‘” + username + “’)”
– DB.execute(string)
• Problem:
– The user enters username. We have no control over what they input
– Then we execute that.
– The user control what is executed.
– The user directly controls the query, or the code, that is executed
– Oh no
• Solution: Parameterized queries. Every language has this capability
– query = “INSERT (class_name, student) VALUES (‘Cybersecurity’, ? )”
– queryData = username
– DB.execute(query,queryData)
– Key idea: the query and query data are separate
– The DB knows that the data is data and no to be executed
 SQL Injection
• Solution: Parameterized queries. Every language has this capability
– Never allow queries to be built via +
String concatenation
– Query = “SELECT user_name FROM students WHERE name = “ + user_name
– Do not use string concatenation
• This was the problem in the command injection vulnerability as well!

• But Stephan!?!
– Int Id = 17;
– Query = “SELECT user_name FROM students WHERE app_id = “ + id Explain why your SQL
command is actually ok
– Where id is a number generated from code. How could it ever be a sql injection?
to this guy

Some of my best friends are software auditors, but…

The goal of an audit is to?
Get more business for the auditors. They want to show how smart
they are in finding problems.
You and your boss’s boss’s boss get to see the results of the audit.
When the auditor make a mistake…
maybe you can explain it to your boss’s boss’s boss
 Review

• CIA
• Threats vs Vulnerabilities vs Exploits
• Examples of threats, e.g., STRIDE
– Spoofing
– Tampering
– Repudiation—denying responsibility for past actions
– Information disclosure
– Denial of service
– Escalation of privilege—obtaining privileges to access resources,
typically referring to malware that gains a base level of access as a
foothold and then exploits vulnerabilities to extend this to gain
greater access
• Vulnerability: Command Injection
– E.g., command line injection, SQL injection, cross-site scripting