Advertisement

International Journal of Information Security

, Volume 18, Issue 1, pp 49–72 | Cite as

Commix: automating evaluation and exploitation of command injection vulnerabilities in Web applications

  • Anastasios Stasinopoulos
  • Christoforos NtantogianEmail author
  • Christos Xenakis
Regular Contribution

Abstract

Despite the prevalence and the high impact of command injection attacks, little attention has been given by the research community to this type of code injections. Although there are many software tools to detect and exploit other types of code injections, such as SQL injections or cross-site scripting, there is no dedicated and specialized software that detects and exploits, automatically, command injection vulnerabilities. This paper proposes an open-source tool that automates the process of detecting and exploiting command injection flaws on Web applications, named as COMMand Injection eXploiter (Commix). We present and elaborate on the software architecture and detection engine of Commix as well its extra functionalities that greatly facilitate penetration testers and security researchers in the detection and exploitation of command injection vulnerabilities. Moreover, based on the knowledge and the practical experience gained from the development of Commix, we propose and analyze new identified techniques that perform side-channel exploitation for command injections allowing an attacker to indirectly deduce the output of the executed command (i.e., also known as blind command injections). Furthermore, we evaluate the detection capabilities of Commix, by performing experiments against various applications. The experimental results show that Commix presents high detection accuracy, while at the same time false positives are eliminated. Finally and more importantly, we analyze several 0-day command injection vulnerabilities that Commix detected in real-world applications. Despite its short release time, Commix has been embraced by the security community and comes preinstalled in many security-oriented operating systems including the well-known Kali Linux.

Keywords

Command injection Code injection Exploitation Software tool Web security 

Notes

Acknowledgements

This research has been funded by the ReCRED project (Horizon H2020 Framework Programme of the European Union under GA number 653417).

References

  1. 1.
  2. 2.
  3. 3.
    OWASP, Cross-site scripting (XSS), https://en.wikipedia.org/wiki/Cross-site_scripting
  4. 4.
  5. 5.
    Alonso, C., Bordn, R., Antonio, G.: y Marta Beltrn Speakers, LDAP injection & blind LDAP injection. BlackHat, New York (2009)Google Scholar
  6. 6.
  7. 7.
  8. 8.
    Is IoT in the smart home giving away the keys to your kingdom?, http://www.symantec.com/connect/blogs/iot-smart-home-giving-away-keys-your-kingdom
  9. 9.
    Wired, The internet of things is wildly insecure—and often unpatchable. http://www.wired.com/2014/01/theres-no-good-way-to-patch-the-internet-of-things-and-thats-a-huge-problem
  10. 10.
  11. 11.
    Hackers are already using the shellshock bug to launch botnet attacks. http://www.wired.com/2014/09/hackers-already-using-shellshock-bug-create-botnets-ddos-attacks/
  12. 12.
    Vulnerability in citrix access gateway legacy authentication support could result in command injection. http://support.citrix.com/article/CTX127613
  13. 13.
  14. 14.
  15. 15.
    Sophos web protection appliance sblistpack command injection exploit. http://www.coresecurity.com/exploit/sophos-web-protection-appliance-sblistpack-command-injection-exploi
  16. 16.
    Papagiannis, I., Migliavacca, M., Pietzuch, P.: PHP Aspis: using partial taint tracking to protect against injection attacks. In: WebApps ’11: Proceedings of the 2nd USENIX Conference on Web Application Development, June 15–16, 2011, Portland, Oregon, USA (2011)Google Scholar
  17. 17.
    Bravenboer, M., Dolstra, E. Visser, E.: Preventing injection attacks with syntax embeddings. In: ’GPCE ’07: Proceedings of the 6th International Conference on Generative Programming and Component Engineering’, ACM, New York, NY, USA, pp. 3–12 (2007)Google Scholar
  18. 18.
    Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: POPL ’06: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, ACM Press, New York, NY, USA, pp. 372–382 (2006)Google Scholar
  19. 19.
    Lin, J.-C., Chen, J.-M.: The automatic defense mechanism for malicious injection attack. In: IEEE, 7th IEEE International Conference on Computer and Information Technology, 2007 (CIT 2007), Fukushima, Japan (2007)Google Scholar
  20. 20.
    Pietraszek, T., VandenBerghe, C.: Defending against injection attacks through context-sensitive string evaluation. In: Proceedings of 8th International Conference on Recent Advances in Intrusion Detection (RAID) (2005)Google Scholar
  21. 21.
    OWASP, Testing for command injection (OTG-INPVAL-013). https://www.owasp.org/index.php/Testing_for_Command_Injection_%28OTG-INPVAL-013%29
  22. 22.
    ExploitDB, Offensive security exploit database archive. https://www.exploit-db.com/
  23. 23.
    PHP.net, shell_exec - Execute command via shell and return the complete output as a string. http://php.net/manual/en/function.shell-exec.php
  24. 24.
    PHP.net, passthru—Execute an external program and display raw output. http://php.net/manual/en/function.passthru.php
  25. 25.
    PHP.net, system—Execute an external program and display the output. http://php.net/manual/en/function.system.php
  26. 26.
    Privoxy proxy, http://www.privoxy.org/
  27. 27.
  28. 28.
  29. 29.
    Exfiltrate data using the old ping utility trick, http://blog.curesec.com/article/blog/23.html
  30. 30.
    Damn Vulnerable Web Application (DVWA), http://www.dvwa.co.uk
  31. 31.
    Extremely buggy web app (bWAPP), http://www.itsecgames.com/
  32. 32.
  33. 33.
  34. 34.
    Pentester Academy, Command Injection ISO: 1, https://www.vulnhub.com/entry/command-injection-iso-1,81/
  35. 35.
    TrustwaveSpiderLabs: MCIR (ShelLOL). https://github.com/SpiderLabs/MCIR/tree/master/shellol
  36. 36.
    Petbot, Petbot-device client side code. https://github.com/petbot/petbot-device
  37. 37.
  38. 38.
    Tantium generator (online). http://algorithm.tantium.org
  39. 39.
  40. 40.
  41. 41.
    Microsoft, Microsoft PowerBI. https://powerbi.microsoft.com/
  42. 42.
  43. 43.
  44. 44.
  45. 45.
  46. 46.
  47. 47.
  48. 48.
  49. 49.
  50. 50.
  51. 51.
    Wake-on-LAN (WOL) plugin. https://github.com/dmacias72/wol
  52. 52.
  53. 53.
    PHP.net, print_r - Prints human-readable information about a variable. http://php.net/manual/en/function.print-r.php
  54. 54.
  55. 55.
  56. 56.
  57. 57.
    Sabai Technology, VPN accelerator. http://www.sabaitechnology.com/vpn-accelerator-1/
  58. 58.
    Stasinopoulos, A., Ntantogian, C., Xenakis, C.: The weakest link on the network: exploiting ADSL routers to perform cyber-attacks. In: Proceedings of 13th IEEE International Symposium on Signal Processing and Information Technology (ISSPIT 2013), Athens, Greece (2013)Google Scholar
  59. 59.
    PHP.net, escapeshellarg—Escape a string to be used as a shell argument. http://php.net/manual/en/function.escapeshellarg.php
  60. 60.
    PHP.net, escapeshellcmd—Escape shell metacharacters. http://ie2.php.net/manual/en/function.escapeshellcmd.php
  61. 61.
  62. 62.
    PHP multibyte shell command escaping bypass vulnerability. http://www.securityfocus.com/archive/1/491687
  63. 63.
    Stasinopoulos, A., Ntantogian, C., Xenakis, C.: Commix: detecting and exploiting command injection flaws. BlackHat, London (2015)Google Scholar
  64. 64.
    PHP extension and application repository—net library. https://pear.php.net/packages.php?catpid=16&catname=Networking
  65. 65.
    WAP, Web application protection. http://awap.sourceforge.net/
  66. 66.
    Command injection test environment. https://github.com/commixproject/commix-testbed
  67. 67.
    AWStats referrer arbitrary command execution vulnerability. https://tools.cisco.com/security/center/viewAlert.x?alertId=9578
  68. 68.
    Stuttard, D., Pinto, M.: The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws, 2nd edn. Wiley, Hoboken (2011)Google Scholar
  69. 69.
    PHP-Charts v1.0 PHP code execution vulnerability. https://www.rapid7.com/db/modules/exploit/unix/webapp/php_charts_exec
  70. 70.
  71. 71.

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2018

Authors and Affiliations

  • Anastasios Stasinopoulos
    • 1
  • Christoforos Ntantogian
    • 1
    Email author
  • Christos Xenakis
    • 1
  1. 1.Department of Digital SystemsUniversity of PiraeusPiraeusGreece

Personalised recommendations