Commix: automating evaluation and exploitation of command injection vulnerabilities in Web applications

Abstract

Despite the prevalence and the high impact of command injection attacks, little attention has been given by the research community to this type of code injections. Although there are many software tools to detect and exploit other types of code injections, such as SQL injections or cross-site scripting, there is no dedicated and specialized software that detects and exploits, automatically, command injection vulnerabilities. This paper proposes an open-source tool that automates the process of detecting and exploiting command injection flaws on Web applications, named as COMMand Injection eXploiter (Commix). We present and elaborate on the software architecture and detection engine of Commix as well its extra functionalities that greatly facilitate penetration testers and security researchers in the detection and exploitation of command injection vulnerabilities. Moreover, based on the knowledge and the practical experience gained from the development of Commix, we propose and analyze new identified techniques that perform side-channel exploitation for command injections allowing an attacker to indirectly deduce the output of the executed command (i.e., also known as blind command injections). Furthermore, we evaluate the detection capabilities of Commix, by performing experiments against various applications. The experimental results show that Commix presents high detection accuracy, while at the same time false positives are eliminated. Finally and more importantly, we analyze several 0-day command injection vulnerabilities that Commix detected in real-world applications. Despite its short release time, Commix has been embraced by the security community and comes preinstalled in many security-oriented operating systems including the well-known Kali Linux.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

References

  1. 1.

    OWASP, 2013 Top 10 List, https://www.owasp.org/index.php/Top_10_2013-Top_10

  2. 2.

    OWASP, SQL injection, https://www.owasp.org/index.php/SQL_Injection

  3. 3.

    OWASP, Cross-site scripting (XSS), https://en.wikipedia.org/wiki/Cross-site_scripting

  4. 4.

    Klein, A.: Blind XPath injection. https://dl.packetstormsecurity.net/papers/bypass/Blind_XPath_Injection_20040518.pdf

  5. 5.

    Alonso, C., Bordn, R., Antonio, G.: y Marta Beltrn Speakers, LDAP injection & blind LDAP injection. BlackHat, New York (2009)

  6. 6.

    OWASP, Command injection, https://www.owasp.org/index.php/Command_Injection

  7. 7.

    How the internet of things could kill you, http://www.tomsguide.com/us/iot-attack-physical-impact,news-19182.html

  8. 8.

    Is IoT in the smart home giving away the keys to your kingdom?, http://www.symantec.com/connect/blogs/iot-smart-home-giving-away-keys-your-kingdom

  9. 9.

    Wired, The internet of things is wildly insecure—and often unpatchable. http://www.wired.com/2014/01/theres-no-good-way-to-patch-the-internet-of-things-and-thats-a-huge-problem

  10. 10.

    Shellshock: a deadly new vulnerability that could lay waste to the internet. http://www.extremetech.com/computing/190959-shellshock-a-deadly-new-vulnerability-that-could-lay-waste-to-the-internet

  11. 11.

    Hackers are already using the shellshock bug to launch botnet attacks. http://www.wired.com/2014/09/hackers-already-using-shellshock-bug-create-botnets-ddos-attacks/

  12. 12.

    Vulnerability in citrix access gateway legacy authentication support could result in command injection. http://support.citrix.com/article/CTX127613

  13. 13.

    Symantec web gateway remote command execution. http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=1353&signatureSubId=0

  14. 14.

    IBM Tealeaf CX passive capture application is vulnerable to a remotely exploitable OS command injection and local file inclusion, https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_tealeaf_cx_passive_capture_application_is_vulnerable_to_a_remotely_exploitable_os_command_injection_and_local_file_inclusion_these_vulnerabilities_may_be_exploited_to_compromise_the_host_system?lang=en_us

  15. 15.

    Sophos web protection appliance sblistpack command injection exploit. http://www.coresecurity.com/exploit/sophos-web-protection-appliance-sblistpack-command-injection-exploi

  16. 16.

    Papagiannis, I., Migliavacca, M., Pietzuch, P.: PHP Aspis: using partial taint tracking to protect against injection attacks. In: WebApps ’11: Proceedings of the 2nd USENIX Conference on Web Application Development, June 15–16, 2011, Portland, Oregon, USA (2011)

  17. 17.

    Bravenboer, M., Dolstra, E. Visser, E.: Preventing injection attacks with syntax embeddings. In: ’GPCE ’07: Proceedings of the 6th International Conference on Generative Programming and Component Engineering’, ACM, New York, NY, USA, pp. 3–12 (2007)

  18. 18.

    Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: POPL ’06: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, ACM Press, New York, NY, USA, pp. 372–382 (2006)

  19. 19.

    Lin, J.-C., Chen, J.-M.: The automatic defense mechanism for malicious injection attack. In: IEEE, 7th IEEE International Conference on Computer and Information Technology, 2007 (CIT 2007), Fukushima, Japan (2007)

  20. 20.

    Pietraszek, T., VandenBerghe, C.: Defending against injection attacks through context-sensitive string evaluation. In: Proceedings of 8th International Conference on Recent Advances in Intrusion Detection (RAID) (2005)

  21. 21.

    OWASP, Testing for command injection (OTG-INPVAL-013). https://www.owasp.org/index.php/Testing_for_Command_Injection_%28OTG-INPVAL-013%29

  22. 22.

    ExploitDB, Offensive security exploit database archive. https://www.exploit-db.com/

  23. 23.

    PHP.net, shell_exec - Execute command via shell and return the complete output as a string. http://php.net/manual/en/function.shell-exec.php

  24. 24.

    PHP.net, passthru—Execute an external program and display raw output. http://php.net/manual/en/function.passthru.php

  25. 25.

    PHP.net, system—Execute an external program and display the output. http://php.net/manual/en/function.system.php

  26. 26.

    Privoxy proxy, http://www.privoxy.org/

  27. 27.

    Kali Linux, Tools, http://tools.kali.org/exploitation-tools/commix

  28. 28.

    Data exfiltration on Linux, http://blog.ring-zer0.com/2014/02/data-exfiltration-on-Linux.html

  29. 29.

    Exfiltrate data using the old ping utility trick, http://blog.curesec.com/article/blog/23.html

  30. 30.

    Damn Vulnerable Web Application (DVWA), http://www.dvwa.co.uk

  31. 31.

    Extremely buggy web app (bWAPP), http://www.itsecgames.com/

  32. 32.

    OWASP, Mutillidae.https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project

  33. 33.

    Pentester Lab, Web For Pentester, https://www.vulnhub.com/entry/pentester-lab-web-for-pentester,71/

  34. 34.

    Pentester Academy, Command Injection ISO: 1, https://www.vulnhub.com/entry/command-injection-iso-1,81/

  35. 35.

    TrustwaveSpiderLabs: MCIR (ShelLOL). https://github.com/SpiderLabs/MCIR/tree/master/shellol

  36. 36.

    Petbot, Petbot-device client side code. https://github.com/petbot/petbot-device

  37. 37.

    Tantium generator. https://github.com/Tantium/Generator

  38. 38.

    Tantium generator (online). http://algorithm.tantium.org

  39. 39.

    RpiIRRemote. https://github.com/offbye/RpiIRRemote

  40. 40.

    ‘Red’ alert. https://github.com/sachinio/redalert

  41. 41.

    Microsoft, Microsoft PowerBI. https://powerbi.microsoft.com/

  42. 42.

    LIGHT. https://github.com/lasse-it/LIGHT

  43. 43.

    RobotRoverV5. https://github.com/BenderRobot/RobotRoverV5

  44. 44.

    EEG-Based-BCI. https://github.com/architshukla/EEG-Based-BCI/

  45. 45.

    iTrace. https://github.com/blobaugh/iTrace

  46. 46.

    wsn-ip-interoperability. https://github.com/gtrdp/wsn-ip-interoperability

  47. 47.

    raspberry-pi-camera-control-php. https://github.com/BelmonduS/raspberry-pi-camera-control-php

  48. 48.

    wp-plugin-grunt. https://github.com/michaelbontyes/wp-plugin-grunt

  49. 49.

    Linux-webui. https://github.com/virajchitnis/Linux-webui

  50. 50.

    SMRTControl. https://github.com/SmartHomes473/SMRTControl

  51. 51.

    Wake-on-LAN (WOL) plugin. https://github.com/dmacias72/wol

  52. 52.

    Changeling. https://github.com/princesspiresearch/Changeling

  53. 53.

    PHP.net, print_r - Prints human-readable information about a variable. http://php.net/manual/en/function.print-r.php

  54. 54.

    Media-management-system. https://github.com/dinushaw/Media-Management-System

  55. 55.

    DHCP monitor. https://github.com/laigon/dhcp

  56. 56.

    openvpnas. https://github.com/sabaitechnology/openvpnas/

  57. 57.

    Sabai Technology, VPN accelerator. http://www.sabaitechnology.com/vpn-accelerator-1/

  58. 58.

    Stasinopoulos, A., Ntantogian, C., Xenakis, C.: The weakest link on the network: exploiting ADSL routers to perform cyber-attacks. In: Proceedings of 13th IEEE International Symposium on Signal Processing and Information Technology (ISSPIT 2013), Athens, Greece (2013)

  59. 59.

    PHP.net, escapeshellarg—Escape a string to be used as a shell argument. http://php.net/manual/en/function.escapeshellarg.php

  60. 60.

    PHP.net, escapeshellcmd—Escape shell metacharacters. http://ie2.php.net/manual/en/function.escapeshellcmd.php

  61. 61.

    Commix. https://github.com/stasinopoulos/Commix

  62. 62.

    PHP multibyte shell command escaping bypass vulnerability. http://www.securityfocus.com/archive/1/491687

  63. 63.

    Stasinopoulos, A., Ntantogian, C., Xenakis, C.: Commix: detecting and exploiting command injection flaws. BlackHat, London (2015)

  64. 64.

    PHP extension and application repository—net library. https://pear.php.net/packages.php?catpid=16&catname=Networking

  65. 65.

    WAP, Web application protection. http://awap.sourceforge.net/

  66. 66.

    Command injection test environment. https://github.com/commixproject/commix-testbed

  67. 67.

    AWStats referrer arbitrary command execution vulnerability. https://tools.cisco.com/security/center/viewAlert.x?alertId=9578

  68. 68.

    Stuttard, D., Pinto, M.: The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws, 2nd edn. Wiley, Hoboken (2011)

    Google Scholar 

  69. 69.

    PHP-Charts v1.0 PHP code execution vulnerability. https://www.rapid7.com/db/modules/exploit/unix/webapp/php_charts_exec

  70. 70.

    D-Link cookie command execution. https://www.rapid7.com/db/modules/exploit/linux/http/dlink_dspw110_cookie_noauth_exec

  71. 71.

    Command injection without spaces. www.betterhacker.com/2016/10/command-injection-without-spaces.html

Download references

Acknowledgements

This research has been funded by the ReCRED project (Horizon H2020 Framework Programme of the European Union under GA number 653417).

Author information

Affiliations

Authors

Corresponding author

Correspondence to Christoforos Ntantogian.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Stasinopoulos, A., Ntantogian, C. & Xenakis, C. Commix: automating evaluation and exploitation of command injection vulnerabilities in Web applications. Int. J. Inf. Secur. 18, 49–72 (2019). https://doi.org/10.1007/s10207-018-0399-z

Download citation

Keywords

  • Command injection
  • Code injection
  • Exploitation
  • Software tool
  • Web security