界: Input Validation and Representation
輸入驗證和表示法問題是由中繼字元、替代編碼和數值表示法引起的。信任輸入會導致安全問題。問題包括:「Buffer Overflows」、「Cross-Site Scripting」攻擊、「SQL Injection」及其他許多問題。
Command Injection
Abstract
執行來自不可信賴來源的指令或在不可信賴的環境中執行指令,會導致程式執行攻擊者偽裝的惡意指令。
Explanation
Command injection 弱點有以下兩種形式:
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此例中,我們著重於第一種情況,即攻擊者可控制執行指令的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1. 資料從不可信賴的來源進入應用程式。
2. 資料被用作代表應用程式所執行指令的字串,或字串的一部分。
3. 藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例 1:以下來自於系統公用程式的程式碼使用登錄金鑰
範例 2:以下程式碼來自一個用於管理性的 Web 應用程式,可允許使用者使用
這裡的問題是,程式沒有對來自使用者的
範例 3:以下程式碼來自一個 Web 應用程式,提供了可讓使用者在系統上更新密碼的介面。在特定網路環境中,更新密碼的部分程序是在
這裡的問題是,程式沒有指定一個絕對的路徑,並且沒能在執行
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此例中,我們著重於第一種情況,即攻擊者可控制執行指令的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1. 資料從不可信賴的來源進入應用程式。
2. 資料被用作代表應用程式所執行指令的字串,或字串的一部分。
3. 藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例 1:以下來自於系統公用程式的程式碼使用登錄金鑰
APPHOME
來決定目錄的安裝位置,並且根據指定目錄的相對路徑來執行初始化 Script。
...
CALL FUNCTION 'REGISTRY_GET'
EXPORTING
KEY = 'APPHOME'
IMPORTING
VALUE = home.
CONCATENATE home INITCMD INTO cmd.
CALL 'SYSTEM' ID 'COMMAND' FIELD cmd ID 'TAB' FIELD TABL[].
...
Example 1
中的程式碼允許攻擊者藉由修改登錄金鑰 APPHOME
,來指向包含惡意版本的 INITCMD
的其他路徑,運用提升的應用程式權限來執行任意指令。因為程式不會驗證從登錄中讀取的值,所以如果攻擊者可以控制登錄金鑰 APPHOME
的值,那麼他們就可以欺騙應用程式去執行惡意程式碼並取得對系統的控制。範例 2:以下程式碼來自一個用於管理性的 Web 應用程式,可允許使用者使用
rman
公用程式周圍的批次檔包裝函式來開始 Oracle 資料庫備份,並接著執行 cleanup.bat
Script 來刪除一些暫存檔案。Script rmanDB.bat
會接受單一指令行參數,其中指定了要執行的備份類型。因為存取資料庫是受限制的,所以應用程式需具有較高權限的使用者來執行備份。
...
btype = request->get_form_field( 'backuptype' )
CONCATENATE `/K 'c:\\util\\rmanDB.bat ` btype `&&c:\\util\\cleanup.bat'` INTO cmd.
CALL FUNCTION 'SXPG_COMMAND_EXECUTE_LONG'
EXPORTING
commandname = cmd_exe
long_params = cmd_string
EXCEPTIONS
no_permission = 1
command_not_found = 2
parameters_too_long = 3
security_risk = 4
OTHERS = 5.
...
這裡的問題是,程式沒有對來自使用者的
backuptype
參數進行任何驗證。通常 SXPG_COMMAND_EXECUTE_LONG
函數模組不會執行多重指令,但在此例中,程式首先執行 cmd.exe
shell,以在單一呼叫 CALL 'SYSTEM'
時執行多重指令。一旦叫用 Shell,Shell 就會允許執行多個由兩個 & 分隔的指令。如果攻擊者傳遞一個 "&& del c:\\dbms\\*.*"
形式的字串,那麼應用程式將會執行這個指令以及由此程式指定的其他指令。因為此應用程式本質的關係,所以應用程式必須要有權限才可與資料庫互動,這表示攻擊者插入的所有指令也都會使用這些權限進行運作。範例 3:以下程式碼來自一個 Web 應用程式,提供了可讓使用者在系統上更新密碼的介面。在特定網路環境中,更新密碼的部分程序是在
/var/yp
目錄下執行 make
指令。
...
MOVE 'make' to cmd.
CALL 'SYSTEM' ID 'COMMAND' FIELD cmd ID 'TAB' FIELD TABL[].
...
這裡的問題是,程式沒有指定一個絕對的路徑,並且沒能在執行
CALL 'SYSTEM'
呼叫前清除它的環境變數。如果攻擊者能夠修改 $PATH
變數,指向名為 make
的惡意二進位碼,並使得程式在它們的環境中執行,那麼程式會載入此惡意的二進位碼,代替原來的程式碼。由於應用程式的特性,它需要特定的權限才能執行系統作業,這表示攻擊者的 make
將會在這些權限下執行,攻擊者可能會完全控制系統。References
[1] SAP OSS notes 677435, 686765, 866732, 854060, 1336776, 1520462, 1530983 and related notes.
[2] Standards Mapping - Common Weakness Enumeration CWE ID 77, CWE ID 78
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [11] CWE ID 078
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [10] CWE ID 078
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [5] CWE ID 078, [25] CWE ID 077
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[7] Standards Mapping - FIPS200 SI
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3, Rule 21.21
[11] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.3 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.8 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3), 12.3.5 File Execution Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[18] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2010 A1 Injection
[21] Standards Mapping - OWASP Top 10 2013 A1 Injection
[22] Standards Mapping - OWASP Top 10 2017 A1 Injection
[23] Standards Mapping - OWASP Top 10 2021 A03 Injection
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 078
[36] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 078
[37] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 078
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[60] Standards Mapping - Web Application Security Consortium Version 2.00 OS Commanding (WASC-31)
[61] Standards Mapping - Web Application Security Consortium 24 + 2 OS Commanding
desc.dataflow.abap.command_injection
Abstract
執行來自不可信賴來源的指令或在不可信賴的環境中執行指令,會導致程式執行攻擊者偽裝的惡意指令。
Explanation
Command injection 弱點有以下兩種形式:
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此例中,我們著重於第一種情況,即攻擊者可控制執行指令的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1. 資料從不可信賴的來源進入應用程式。
2. 資料被用作代表應用程式所執行指令的字串,或字串的一部分。
3. 藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例 1:以下程式碼使用來自組態設定檔案的輸入來決定目錄的安裝位置,並且根據指定目錄的相對路徑來執行初始化 Script。
範例 2:以下程式碼來自一個管理 Web 應用程式,可允許使用者使用
這裡的問題是,程式沒有對來自使用者的
範例 3:以下程式碼來自一個 Web 應用程式,提供了可讓使用者在系統上更新密碼的介面。在特定網路環境中,更新密碼的部分程序是在
這裡的問題是,程式沒有指定一個絕對的路徑,並且沒能在執行
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此例中,我們著重於第一種情況,即攻擊者可控制執行指令的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1. 資料從不可信賴的來源進入應用程式。
2. 資料被用作代表應用程式所執行指令的字串,或字串的一部分。
3. 藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例 1:以下程式碼使用來自組態設定檔案的輸入來決定目錄的安裝位置,並且根據指定目錄的相對路徑來執行初始化 Script。
...
var fs:FileStream = new FileStream();
fs.open(new File(String(configStream.readObject())+".txt"), FileMode.READ);
home = String(fs.readObject(home));
var cmd:String = home + INITCMD;
fscommand("exec", cmd);
...
Example 1
中的程式碼允許攻擊者藉由修改組態設定檔案 configStream
的內容來指向包含惡意版本的 INITCMD
的其他路徑,藉此運用提升的應用程式權限來執行任意指令。因為程式不會驗證從檔案中讀取的值,所以如果攻擊者可以控制該值,他們就可以欺騙應用程式去執行惡意程式碼並控制系統。範例 2:以下程式碼來自一個管理 Web 應用程式,可允許使用者使用
rman
公用程式周圍的批次檔包裝函式來開始 Oracle 資料庫備份,並接著執行 cleanup.bat
Script 來刪除一些暫存檔案。Script rmanDB.bat
會接受單一指令行參數,其中指定了要執行的備份類型。因為存取資料庫是受限制的,所以應用程式需具有較高權限的使用者來執行備份。
...
var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
var btype:String = String(params["backuptype"]);
var cmd:String = "cmd.exe /K \"c:\\util\\rmanDB.bat " + btype + "&&c:\\util\\cleanup.bat\"";
fscommand("exec", cmd);
...
這裡的問題是,程式沒有對來自使用者的
backuptype
參數進行任何驗證。通常 fscommand()
函數不會執行多重指令,但在此例中,程式首先執行 cmd.exe
shell,以在單一呼叫 fscommnd()
時執行多重指令。一旦叫用 Shell,Shell 就會允許執行多個由兩個 & 分隔的指令。如果攻擊者傳遞一個 "&& del c:\\dbms\\*.*"
形式的字串,那麼應用程式將會執行這個指令以及由此程式指定的其他指令。因為此應用程式本質的關係,所以應用程式必須要有權限才可與資料庫互動,這表示攻擊者插入的所有指令也都會使用這些權限進行運作。範例 3:以下程式碼來自一個 Web 應用程式,提供了可讓使用者在系統上更新密碼的介面。在特定網路環境中,更新密碼的部分程序是在
/var/yp
目錄下執行 make
指令。
...
fscommand("exec", "make");
...
這裡的問題是,程式沒有指定一個絕對的路徑,並且沒能在執行
fscommand()
呼叫前清除它的環境變數。如果攻擊者能夠修改 $PATH
變數,指向名為 make
的惡意二進位碼,並使得程式在它們的環境中執行,那麼程式會載入此惡意的二進位碼,代替原來的程式碼。由於應用程式的特性,它需要特定的權限才能執行系統作業,這表示攻擊者的 make
將會在這些權限下執行,攻擊者可能會完全控制系統。References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 77, CWE ID 78
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [11] CWE ID 078
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [10] CWE ID 078
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [5] CWE ID 078, [25] CWE ID 077
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[6] Standards Mapping - FIPS200 SI
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3, Rule 21.21
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.3 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.8 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3), 12.3.5 File Execution Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 078
[35] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 078
[36] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 078
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[59] Standards Mapping - Web Application Security Consortium Version 2.00 OS Commanding (WASC-31)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 OS Commanding
desc.dataflow.actionscript.command_injection
Abstract
執行來自不可信賴來源的指令或在不可信賴的環境中執行指令,會導致程式執行攻擊者偽裝的惡意指令。
Explanation
Command injection 弱點有以下兩種形式:
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此例中,我們著重於第一種情況,即攻擊者可控制執行指令的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1. 資料從不可信賴的來源進入應用程式。
2. 資料被用作代表應用程式所執行指令的字串,或字串的一部分。
3. 藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例 1:以下來自於系統公用程式的程式碼使用系統屬性
範例 2:以下程式碼來自一個管理 Web 應用程式,可允許使用者使用
這裡的問題在於:程式不會對
範例 3:以下程式碼來自一個 Web 應用程式,允許使用者存取他們用於在系統上更新密碼的介面。在此網路環境中,更新密碼的部分程序是執行
這裡的問題是,程式沒有指定一個絕對的路徑,並且沒能在執行
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此例中,我們著重於第一種情況,即攻擊者可控制執行指令的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1. 資料從不可信賴的來源進入應用程式。
2. 資料被用作代表應用程式所執行指令的字串,或字串的一部分。
3. 藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例 1:以下來自於系統公用程式的程式碼使用系統屬性
APPHOME
來決定其安裝目錄,並且根據指定目錄的相對路徑來執行初始化 Script。
...
string val = Environment.GetEnvironmentVariable("APPHOME");
string cmd = val + INITCMD;
ProcessStartInfo startInfo = new ProcessStartInfo(cmd);
Process.Start(startInfo);
...
Example 1
中的程式碼允許攻擊者藉由修改系統屬性 APPHOME
,來指向包含惡意版本的 INITCMD
的其他路徑,運用提升的應用程式權限來執行任意指令。因為程式不會驗證從環境中讀取的值,所以如果攻擊者可以控制系統屬性 APPHOME
的值,那麼他們就可以欺騙應用程式去執行惡意程式碼並取得對系統的控制。範例 2:以下程式碼來自一個管理 Web 應用程式,可允許使用者使用
rman
公用程式周圍的批次檔包裝函式來開始 Oracle 資料庫備份,並接著執行 cleanup.bat
Script 來刪除一些暫存檔案。Script rmanDB.bat
會接受單一指令行參數,其中指定了要執行的備份類型。因為存取資料庫是受限制的,所以應用程式需具有較高權限的使用者來執行備份。
...
string btype = BackupTypeField.Text;
string cmd = "cmd.exe /K \"c:\\util\\rmanDB.bat"
+ btype + "&&c:\\util\\cleanup.bat\""));
Process.Start(cmd);
...
這裡的問題在於:程式不會對
BackupTypeField
進行任何驗證。通常 Process.Start()
函數不會執行多重指令,但在此例中,程式首先執行 cmd.exe
shell,以在單一呼叫 Process.Start()
時執行多重指令。一旦叫用 Shell,Shell 就會允許執行多個由兩個 & 分隔的指令。如果攻擊者傳遞一個 "&& del c:\\dbms\\*.*"
形式的字串,那麼應用程式將會執行這個指令以及由此程式指定的其他指令。因為此應用程式本質的關係,所以應用程式必須要有權限才可與資料庫互動,這表示攻擊者插入的所有指令也都會使用這些權限進行運作。範例 3:以下程式碼來自一個 Web 應用程式,允許使用者存取他們用於在系統上更新密碼的介面。在此網路環境中,更新密碼的部分程序是執行
update.exe
指令,如下所示:
...
Process.Start("update.exe");
...
這裡的問題是,程式沒有指定一個絕對的路徑,並且沒能在執行
Process.start()
呼叫前清除它的環境變數。如果攻擊者能夠修改 $PATH
變數,指向名為 update.exe
的惡意二進位碼,並使得程式在它們的環境中執行,那麼程式會載入此惡意的二進位碼,代替原來的程式碼。由於應用程式的特性,它需要特定的權限才能執行系統作業,這表示攻擊者的 update.exe
將會在這些權限下執行,攻擊者可能會完全控制系統。References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 77, CWE ID 78
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [11] CWE ID 078
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [10] CWE ID 078
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [5] CWE ID 078, [25] CWE ID 077
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[6] Standards Mapping - FIPS200 SI
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3, Rule 21.21
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.3 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.8 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3), 12.3.5 File Execution Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 078
[35] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 078
[36] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 078
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[59] Standards Mapping - Web Application Security Consortium Version 2.00 OS Commanding (WASC-31)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 OS Commanding
desc.dataflow.dotnet.command_injection
Abstract
執行包含未經驗證使用者輸入的指令會導致應用程式淪為攻擊者的工具。
Explanation
Command injection 弱點有以下兩種形式:
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此案例中,我們著重於第一種情況,即攻擊者準確地控制了所執行的指令。此類型的 Command injection 弱點會在以下情況中出現:
1.資料從不可信賴的來源進入應用程式。
2.資料被應用程式當作指令所執行的字串的一部分。
3.藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例 1:下面這個簡單的程式將一個檔案名稱作為一條指令行引數,並將檔案內容顯示給使用者。程式是按照
因為程式是以
範例 2:以下來自具有特殊權限的程式之程式碼,使用環境變數
如
因為攻擊者使用環境變數來控制程式呼叫的指令,所以在這個範例中環境的影響是直接明瞭的。現在,我們會留意當攻擊者可能變更指令解譯方式時會發生的情況。
範例 3:以下程式碼以 CGI 公用程式為基礎,可讓使用者變更其密碼。在網路資訊服務 (NIS) 下的密碼更新過程,包括在
程式會以下列方式呼叫
不同於先前的範例,因為這個範例中的指令是使用強制編碼方式,所以攻擊者不能控制傳輸到
在 Windows 中,存在其他風險。
範例 4:直接或透過呼叫
由於
環境在程式的系統指令執行過程中扮演很重要的角色。如
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此案例中,我們著重於第一種情況,即攻擊者準確地控制了所執行的指令。此類型的 Command injection 弱點會在以下情況中出現:
1.資料從不可信賴的來源進入應用程式。
2.資料被應用程式當作指令所執行的字串的一部分。
3.藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例 1:下面這個簡單的程式將一個檔案名稱作為一條指令行引數,並將檔案內容顯示給使用者。程式是按照
setuid root
安裝的,因為這個程式的意圖是作為一個學習工具來使用,以便讓那些仍在培訓中的系統管理員查看各權限的系統檔,而不給他們篡改權限,或者損壞系統的能力。
int main(char* argc, char** argv) {
char cmd[CMD_MAX] = "/usr/bin/cat ";
strcat(cmd, argv[1]);
system(cmd);
}
因為程式是以
root
的權限來執行,所以 system()
的呼叫也以 root
的權限來執行。如果使用者指定了一個標準的檔案名稱,那麼呼叫就能如預期般執行。但是,如果攻擊者傳遞 ";rm -rf /"
形式的字串,則對 system()
的呼叫會由於缺少引數而無法執行 cat
,然後以遞迴方式刪除根分割的內容。範例 2:以下來自具有特殊權限的程式之程式碼,使用環境變數
$APPHOME
來決定應用程式的安裝目錄,並在該目錄中執行初始化指令碼。
...
char* home=getenv("APPHOME");
char* cmd=(char*)malloc(strlen(home)+strlen(INITCMD));
if (cmd) {
strcpy(cmd,home);
strcat(cmd,INITCMD);
execl(cmd, NULL);
}
...
如
Example 1
所述,這個範例中的程式碼提升了應用程式的權限,允許攻擊者隨意執行任何指令。在此範例中,攻擊者可能修改環境變數 $APPHOME
來指定包含 INITCMD
惡意版本的不同路徑。由於程式不會驗證從環境讀取的值,透過控制該環境變數,攻擊者可能欺騙應用程式執行惡意程式碼。因為攻擊者使用環境變數來控制程式呼叫的指令,所以在這個範例中環境的影響是直接明瞭的。現在,我們會留意當攻擊者可能變更指令解譯方式時會發生的情況。
範例 3:以下程式碼以 CGI 公用程式為基礎,可讓使用者變更其密碼。在網路資訊服務 (NIS) 下的密碼更新過程,包括在
/var/yp
目錄中執行 make
。注意,程式更新密碼記錄後,就已按照 setuid root
進行安裝了。程式會以下列方式呼叫
make
:
system("cd /var/yp && make &> /dev/null");
不同於先前的範例,因為這個範例中的指令是使用強制編碼方式,所以攻擊者不能控制傳輸到
system()
的引數。但是,由於程式沒有指定 make
的絕對路徑,而且沒有在叫用指令之前清除任何環境變數,因此攻擊者可能修改他們的 $PATH
變數,以指向名為 make
的惡意二進位碼,並從 shell 提示執行 CGI 指令碼。而且因為程式是按照 setuid root
安裝的,所以攻擊者的 make
版本現在會以 root
權限執行。在 Windows 中,存在其他風險。
範例 4:直接或透過呼叫
_spawn()
系列中的一個函數來叫用 CreateProcess()
時,如果執行檔或路徑中包含空格,請務必小心。
...
LPTSTR cmdLine = _tcsdup(TEXT("C:\\Program Files\\MyApplication -L -S"));
CreateProcess(NULL, cmdLine, ...);
...
由於
CreateProcess()
剖析空格的方式,作業系統嘗試執行的第一個執行檔會是 Program.exe
,而不是 MyApplication.exe
。所以,如果攻擊者能夠在系統上安裝名為 Program.exe
的惡意應用程式,任何會使用 Program Files
目錄不正確呼叫 CreateProcess()
的程式將會執行此應用程式,而不會執行原本所要執行的應用程式。環境在程式的系統指令執行過程中扮演很重要的角色。如
system()
、exec()
和 CreateProcess()
這類的函數,可利用程式呼叫這些函數的環境,因此攻擊者會有機會去影響這些呼叫的運作情況。References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 77, CWE ID 78
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [11] CWE ID 078
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [10] CWE ID 078
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [5] CWE ID 078, [25] CWE ID 077
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[6] Standards Mapping - FIPS200 SI
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3, Rule 21.21
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.3 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.8 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3), 12.3.5 File Execution Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 078
[35] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 078
[36] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 078
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[59] Standards Mapping - Web Application Security Consortium Version 2.00 OS Commanding (WASC-31)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 OS Commanding
desc.dataflow.cpp.command_injection
Abstract
在不指定絕對路徑的情況下執行指令時,可讓攻擊者透過變更
$PATH
或程式執行環境的其他層面,使用程式來執行惡意二進位檔案。Explanation
Command injection 弱點有以下兩種形式:
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令。
- 攻擊者可以控制程式的參數。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此案例中,我們著重於第二種情況,即攻擊者能夠透過變更環境變數或預先在搜尋路徑中插入惡意可執行檔,而變更指令意義。此類型的 Command injection 弱點會在以下情況中出現:
1.攻擊者修改了應用程式的環境。
2.應用程式在不指定絕對路徑或驗證正在執行的二進位檔案的情況下執行指令。
3.藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例 1:此範例示範了攻擊者可以變更指令的解譯方式時可能發生的情況。程式碼以 CGI 公用程式為基礎,可讓使用者變更其密碼。在網路資訊服務 (NIS) 下的密碼更新過程,包括在
程式會如下叫用
此範例中的指令經過硬式編碼,因此攻擊者無法控制傳遞至
範例 2:以下程式碼使用環境變數來判斷包含暫存目錄是否包含要使用
與前面的範例類似,該指令經過硬式編碼。但是,由於程式沒有為
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令。
- 攻擊者可以控制程式的參數。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此案例中,我們著重於第二種情況,即攻擊者能夠透過變更環境變數或預先在搜尋路徑中插入惡意可執行檔,而變更指令意義。此類型的 Command injection 弱點會在以下情況中出現:
1.攻擊者修改了應用程式的環境。
2.應用程式在不指定絕對路徑或驗證正在執行的二進位檔案的情況下執行指令。
3.藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例 1:此範例示範了攻擊者可以變更指令的解譯方式時可能發生的情況。程式碼以 CGI 公用程式為基礎,可讓使用者變更其密碼。在網路資訊服務 (NIS) 下的密碼更新過程,包括在
/var/yp
目錄中執行 make
。注意,程式更新密碼記錄後,就已按照 setuid root
進行安裝了。程式會如下叫用
make
:
MOVE "cd /var/yp && make &> /dev/null" to command-line
CALL "CBL_EXEC_RUN_UNIT" USING command-line
length of command-line
run-unit-id
stack-size
flags
此範例中的指令經過硬式編碼,因此攻擊者無法控制傳遞至
CBL_EXEC_RUN_UNIT
的引數。但是,由於程式沒有為 make
指定絕對路徑,並且在叫用該指令之前未清除其環境變數,因此攻擊者可將 $PATH
變數修改為指向名為 make
的惡意二進位檔案,並透過 Shell 提示執行 CGI 指令碼。另外,由於程式已按照 setuid root
進行安裝,因此攻擊者的 make
版本現在能利用 root
權限來執行。範例 2:以下程式碼使用環境變數來判斷包含暫存目錄是否包含要使用
pdfprint
指令列印的檔案。
DISPLAY "TEMP" UPON ENVIRONMENT-NAME
ACCEPT ws-temp-dir FROM ENVIRONMENT-VARIABLE
STRING "pdfprint " DELIMITED SIZE
ws-temp-dir DELIMITED SPACE
"/" DELIMITED SIZE
ws-pdf-filename DELIMITED SPACE
x"00" DELIMITED SIZE
INTO cmd-buffer
CALL "SYSTEM" USING cmd-buffer
與前面的範例類似,該指令經過硬式編碼。但是,由於程式沒有為
pdfprint
指定絕對路徑,因此攻擊者可將 $PATH
變數修改為指向惡意二進位檔案。此外,儘管 DELIMITED SPACE
片語會防止 ws-temp-dir
和 ws-pdf-filename
中嵌入空格,但其中的任何一個都可以嵌入 shell 中繼字元 (例如 &&
)。References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 77, CWE ID 78
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [11] CWE ID 078
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [10] CWE ID 078
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [5] CWE ID 078, [25] CWE ID 077
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[6] Standards Mapping - FIPS200 SI
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3, Rule 21.21
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.3 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.8 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3), 12.3.5 File Execution Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 078
[35] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 078
[36] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 078
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[59] Standards Mapping - Web Application Security Consortium Version 2.00 OS Commanding (WASC-31)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 OS Commanding
desc.semantic.cobol.command_injection
Abstract
執行來自不可信賴來源的指令或在不可信賴的環境中執行指令,會導致程式執行攻擊者偽裝的惡意指令。
Explanation
Command injection 弱點有以下兩種形式:
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此例中,我們著重於第一種情況,即攻擊者可控制執行指令的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1. 資料從不可信賴的來源進入應用程式。
2. 資料被用作代表應用程式所執行指令的字串,或字串的一部分。
3. 藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例 1: 下列程式碼允許攻擊者透過
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此例中,我們著重於第一種情況,即攻擊者可控制執行指令的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1. 資料從不可信賴的來源進入應用程式。
2. 資料被用作代表應用程式所執行指令的字串,或字串的一部分。
3. 藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例 1: 下列程式碼允許攻擊者透過
cmd
要求參數指定任意指令。
...
<cfset var="#url.cmd#">
<cfexecute name = "C:\windows\System32\cmd.exe"
arguments = "/c #var#"
timeout = "1"
variable="mycmd">
</cfexecute>
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 77, CWE ID 78
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [11] CWE ID 078
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [10] CWE ID 078
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [5] CWE ID 078, [25] CWE ID 077
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[6] Standards Mapping - FIPS200 SI
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3, Rule 21.21
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.3 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.8 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3), 12.3.5 File Execution Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 078
[35] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 078
[36] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 078
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[59] Standards Mapping - Web Application Security Consortium Version 2.00 OS Commanding (WASC-31)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 OS Commanding
desc.dataflow.cfml.command_injection
Abstract
執行來自不可信賴來源的指令或在不可信賴的環境中執行指令,會導致程式執行攻擊者偽裝的惡意指令。
Explanation
Command injection 弱點有以下兩種形式:
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此案例中,我們著重在第一種情況,即攻擊者可控制執行指令的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1.資料從不可信賴的來源進入應用程式。
2.資料被用作代表應用程式所執行指令的字串,或字串的一部分。
3.藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例 1:以下來自於系統公用程式的程式碼使用系統屬性
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此案例中,我們著重在第一種情況,即攻擊者可控制執行指令的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1.資料從不可信賴的來源進入應用程式。
2.資料被用作代表應用程式所執行指令的字串,或字串的一部分。
3.藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例 1:以下來自於系統公用程式的程式碼使用系統屬性
APPHOME
來決定目錄的安裝位置,並且根據指定目錄的相對路徑來執行初始化 Script。
...
final cmd = String.fromEnvironment('APPHOME');
await Process.run(cmd);
...
Example 1
中的程式碼允許攻擊者藉由修改系統屬性 APPHOME
,來指向包含惡意版本的 INITCMD
的其他路徑,運用提升的應用程式權限來執行任意指令。因為程式不會驗證從環境中讀取的值,所以如果攻擊者可以控制系統屬性 APPHOME
的值,那麼他們就可以欺騙應用程式去執行惡意程式碼並取得對系統的控制。References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 77, CWE ID 78
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [11] CWE ID 078
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [10] CWE ID 078
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [5] CWE ID 078, [25] CWE ID 077
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[6] Standards Mapping - FIPS200 SI
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3, Rule 21.21
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.3 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.8 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3), 12.3.5 File Execution Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 078
[35] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 078
[36] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 078
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[59] Standards Mapping - Web Application Security Consortium Version 2.00 OS Commanding (WASC-31)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 OS Commanding
desc.dataflow.dart.command_injection
Abstract
執行來自不可信賴來源的指令或在不可信賴的環境中執行指令,會導致程式執行攻擊者偽裝的惡意指令。
Explanation
Command injection 弱點有以下兩種形式:
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此案例中,我們著重在第一種情況,即攻擊者可控制執行指令的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1.資料從不可信賴的來源進入應用程式。
2.資料當作表示應用程式執行之指令的字串或字串的一部分使用。
3.藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例:以下程式碼會執行使用者控制的指令。
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此案例中,我們著重在第一種情況,即攻擊者可控制執行指令的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1.資料從不可信賴的來源進入應用程式。
2.資料當作表示應用程式執行之指令的字串或字串的一部分使用。
3.藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例:以下程式碼會執行使用者控制的指令。
cmdName := request.FormValue("Command")
c := exec.Command(cmdName)
c.Run()
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 77, CWE ID 78
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [11] CWE ID 078
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [10] CWE ID 078
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [5] CWE ID 078, [25] CWE ID 077
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[6] Standards Mapping - FIPS200 SI
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3, Rule 21.21
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.3 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.8 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3), 12.3.5 File Execution Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 078
[35] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 078
[36] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 078
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[59] Standards Mapping - Web Application Security Consortium Version 2.00 OS Commanding (WASC-31)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 OS Commanding
desc.dataflow.golang.command_injection
Abstract
執行來自不可信賴來源的指令或在不可信賴的環境中執行指令,會導致程式執行攻擊者偽裝的惡意指令。
Explanation
Command injection 弱點有以下兩種形式:
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此例中,我們著重於第一種情況,即攻擊者可控制執行指令的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1. 資料從不可信賴的來源進入應用程式。
2. 資料被用作代表應用程式所執行指令的字串,或字串的一部分。
3. 藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例 1:以下來自於系統公用程式的程式碼使用系統屬性
範例 2:以下程式碼來自一個管理 Web 應用程式,可允許使用者使用
這裡的問題是,程式沒有對來自使用者的
範例 3:以下程式碼來自一個 Web 應用程式,提供了可讓使用者在系統上更新密碼的介面。在特定網路環境中,更新密碼的部分程序是在
這裡的問題是,程式沒有指定一個絕對的路徑,並且沒能在執行
有人認為在行動環境中,典型的弱點 (例如指令插入) 沒有意義,因為使用者為何要攻擊自己呢?但是請謹記,行動平台的本質是從多種來源下載,並在相同裝置上一起執行的應用程式。在金融應用程式旁執行惡意程式碼的可能性很高,這必然會擴大行動應用程式的受攻擊面,將程序之間的通訊包括在內。
範例 4:以下程式碼從 Android 用意中讀取將執行的指令。
在已取得 Root 權限的裝置上,惡意應用程式會強迫受害者應用程式以超級使用者的權限執行任意指令。
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此例中,我們著重於第一種情況,即攻擊者可控制執行指令的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1. 資料從不可信賴的來源進入應用程式。
2. 資料被用作代表應用程式所執行指令的字串,或字串的一部分。
3. 藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例 1:以下來自於系統公用程式的程式碼使用系統屬性
APPHOME
來決定目錄的安裝位置,並且根據指定目錄的相對路徑來執行初始化 Script。
...
String home = System.getProperty("APPHOME");
String cmd = home + INITCMD;
java.lang.Runtime.getRuntime().exec(cmd);
...
Example 1
中的程式碼允許攻擊者藉由修改系統屬性 APPHOME
,來指向包含惡意版本的 INITCMD
的其他路徑,運用提升的應用程式權限來執行任意指令。因為程式不會驗證從環境中讀取的值,所以如果攻擊者可以控制系統屬性 APPHOME
的值,那麼他們就可以欺騙應用程式去執行惡意程式碼並取得對系統的控制。範例 2:以下程式碼來自一個管理 Web 應用程式,可允許使用者使用
rman
公用程式周圍的批次檔包裝函式來開始 Oracle 資料庫備份,並接著執行 cleanup.bat
Script 來刪除一些暫存檔案。Script rmanDB.bat
會接受單一指令行參數,其中指定了要執行的備份類型。因為存取資料庫是受限制的,所以應用程式需具有較高權限的使用者來執行備份。
...
String btype = request.getParameter("backuptype");
String cmd = new String("cmd.exe /K
\"c:\\util\\rmanDB.bat "+btype+"&&c:\\util\\cleanup.bat\"")
System.Runtime.getRuntime().exec(cmd);
...
這裡的問題是,程式沒有對來自使用者的
backuptype
參數進行任何驗證。通常 Runtime.exec()
函數不會執行多重指令,但在此例中,程式首先執行 cmd.exe
shell,以在單一呼叫 Runtime.exec()
時執行多重指令。一旦叫用 Shell,Shell 就會允許執行多個由兩個 & 分隔的指令。如果攻擊者傳遞一個 "&& del c:\\dbms\\*.*"
形式的字串,那麼應用程式將會執行這個指令以及由此程式指定的其他指令。因為此應用程式本質的關係,所以應用程式必須要有權限才可與資料庫互動,這表示攻擊者插入的所有指令也都會使用這些權限進行運作。範例 3:以下程式碼來自一個 Web 應用程式,提供了可讓使用者在系統上更新密碼的介面。在特定網路環境中,更新密碼的部分程序是在
/var/yp
目錄下執行 make
指令。
...
System.Runtime.getRuntime().exec("make");
...
這裡的問題是,程式沒有指定一個絕對的路徑,並且沒能在執行
Runtime.exec()
呼叫前清除它的環境變數。如果攻擊者能夠修改 $PATH
變數,指向名為 make
的惡意二進位碼,並使得程式在它們的環境中執行,那麼程式會載入此惡意的二進位碼,代替原來的程式碼。由於應用程式的特性,它需要特定的權限才能執行系統作業,這表示攻擊者的 make
將會在這些權限下執行,攻擊者可能會完全控制系統。有人認為在行動環境中,典型的弱點 (例如指令插入) 沒有意義,因為使用者為何要攻擊自己呢?但是請謹記,行動平台的本質是從多種來源下載,並在相同裝置上一起執行的應用程式。在金融應用程式旁執行惡意程式碼的可能性很高,這必然會擴大行動應用程式的受攻擊面,將程序之間的通訊包括在內。
範例 4:以下程式碼從 Android 用意中讀取將執行的指令。
...
String[] cmds = this.getIntent().getStringArrayExtra("commands");
Process p = Runtime.getRuntime().exec("su");
DataOutputStream os = new DataOutputStream(p.getOutputStream());
for (String cmd : cmds) {
os.writeBytes(cmd+"\n");
}
os.writeBytes("exit\n");
os.flush();
...
在已取得 Root 權限的裝置上,惡意應用程式會強迫受害者應用程式以超級使用者的權限執行任意指令。
References
[1] IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 77, CWE ID 78
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [11] CWE ID 078
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [10] CWE ID 078
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [5] CWE ID 078, [25] CWE ID 077
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[7] Standards Mapping - FIPS200 SI
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3, Rule 21.21
[11] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.3 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.8 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3), 12.3.5 File Execution Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[18] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2010 A1 Injection
[21] Standards Mapping - OWASP Top 10 2013 A1 Injection
[22] Standards Mapping - OWASP Top 10 2017 A1 Injection
[23] Standards Mapping - OWASP Top 10 2021 A03 Injection
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 078
[36] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 078
[37] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 078
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[60] Standards Mapping - Web Application Security Consortium Version 2.00 OS Commanding (WASC-31)
[61] Standards Mapping - Web Application Security Consortium 24 + 2 OS Commanding
desc.dataflow.java.command_injection
Abstract
執行來自不可信賴來源的指令或在不可信賴的環境中執行指令,會導致程式執行攻擊者偽裝的惡意指令。
Explanation
Command injection 弱點有以下兩種形式:
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此例中,我們著重於第一種情況,即攻擊者可控制執行指令的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1. 資料從不可信賴的來源進入應用程式。
2. 資料被用作代表應用程式所執行指令的字串,或字串的一部分。
3. 藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例 1:以下來自於系統公用程式的程式碼使用環境變數
範例 2:以下程式碼來自一個管理 Web 應用程式,可允許使用者使用
這裡的問題是,程式沒有對來自使用者的
範例 3:以下程式碼來自一個 Web 應用程式,提供了可讓使用者在系統上更新密碼的介面。在特定網路環境中,更新密碼的部分程序是在
這裡的問題是,程式沒有指定
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此例中,我們著重於第一種情況,即攻擊者可控制執行指令的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1. 資料從不可信賴的來源進入應用程式。
2. 資料被用作代表應用程式所執行指令的字串,或字串的一部分。
3. 藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例 1:以下來自於系統公用程式的程式碼使用環境變數
APPHOME
來決定其安裝目錄,並且根據指定目錄的相對路徑來執行初始化 Script。
var cp = require('child_process');
...
var home = process.env('APPHOME');
var cmd = home + INITCMD;
child = cp.exec(cmd, function(error, stdout, stderr){
...
});
...
Example 1
中的程式碼允許攻擊者藉由修改系統屬性 APPHOME
,來指向包含惡意版本的 INITCMD
的其他路徑,運用提升的應用程式權限來執行任意指令。因為程式不會驗證從環境中讀取的值,所以如果攻擊者可以控制系統屬性 APPHOME
的值,那麼他們就可以欺騙應用程式去執行惡意程式碼並取得對系統的控制。範例 2:以下程式碼來自一個管理 Web 應用程式,可允許使用者使用
rman
公用程式周圍的批次檔包裝函式來開始 Oracle 資料庫備份。Script rmanDB.bat
會接受單一指令行參數,其中指定了要執行的備份類型。因為存取資料庫是受限制的,所以應用程式需具有較高權限的使用者來執行備份。
var cp = require('child_process');
var http = require('http');
var url = require('url');
function listener(request, response){
var btype = url.parse(request.url, true)['query']['backuptype'];
if (btype !== undefined){
cmd = "c:\\util\\rmanDB.bat" + btype;
cp.exec(cmd, function(error, stdout, stderr){
...
});
}
...
}
...
http.createServer(listener).listen(8080);
這裡的問題是,程式沒有對來自使用者的
backuptype
參數進行任何驗證,只有驗證此參數是否存在。一旦叫用此 Shell,就可能允許執行多個指令,並且因為應用程式本質的關係,應用程式將會使用與資料庫互動的必要權限來執行,這表示攻擊者插入的所有指令也會使用這些權限來執行。範例 3:以下程式碼來自一個 Web 應用程式,提供了可讓使用者在系統上更新密碼的介面。在特定網路環境中,更新密碼的部分程序是在
/var/yp
目錄下執行 make
指令。
...
require('child_process').exec("make", function(error, stdout, stderr){
...
});
...
這裡的問題是,程式沒有指定
make
的絕對路徑,因此沒能在執行 child_process.exec()
呼叫前清除它的環境變數。如果攻擊者能夠修改 $PATH
變數,指向名為 make
的惡意二進位碼,並使得程式在它們的環境中執行,那麼程式會載入此惡意的二進位碼,代替原來的程式碼。由於應用程式的特性,它需要特定的權限才能執行系統作業,這表示攻擊者的 make
將會在這些權限下執行,攻擊者可能會完全控制系統。References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 77, CWE ID 78
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [11] CWE ID 078
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [10] CWE ID 078
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [5] CWE ID 078, [25] CWE ID 077
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[6] Standards Mapping - FIPS200 SI
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3, Rule 21.21
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.3 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.8 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3), 12.3.5 File Execution Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 078
[35] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 078
[36] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 078
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[59] Standards Mapping - Web Application Security Consortium Version 2.00 OS Commanding (WASC-31)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 OS Commanding
desc.dataflow.javascript.command_injection
Abstract
執行來自不可信賴來源的指令或在不可信賴的環境中執行指令,會導致程式執行攻擊者偽裝的惡意指令。
Explanation
Command injection 弱點有以下兩種形式:
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此例中,我們著重於第一種情況,即攻擊者可控制執行指令的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1. 資料從不可信賴的來源進入應用程式。
2. 資料被用作代表應用程式所執行指令的字串,或字串的一部分。
3. 藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例 1:以下來自於系統公用程式的程式碼使用系統屬性
範例 2:以下程式碼來自一個管理 Web 應用程式,可允許使用者使用
這裡的問題是,程式沒有對來自使用者的
範例 3:以下程式碼來自一個 Web 應用程式,提供了可讓使用者在系統上更新密碼的介面。在特定網路環境中,更新密碼的部分程序是在
這裡的問題是,程式沒有指定一個絕對的路徑,並且沒能在執行
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此例中,我們著重於第一種情況,即攻擊者可控制執行指令的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1. 資料從不可信賴的來源進入應用程式。
2. 資料被用作代表應用程式所執行指令的字串,或字串的一部分。
3. 藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例 1:以下來自於系統公用程式的程式碼使用系統屬性
APPHOME
來決定目錄的安裝位置,並且根據指定目錄的相對路徑來執行初始化 Script。
...
$home = $_ENV['APPHOME'];
$cmd = $home . $INITCMD;
system(cmd);
...
Example 1
中的程式碼允許攻擊者藉由修改系統屬性 APPHOME
,來指向包含惡意版本的 INITCMD
的其他路徑,運用提升的應用程式權限來執行任意指令。因為程式不會驗證從環境中讀取的值,所以如果攻擊者可以控制系統屬性 APPHOME
的值,那麼他們就可以欺騙應用程式去執行惡意程式碼並取得對系統的控制。範例 2:以下程式碼來自一個管理 Web 應用程式,可允許使用者使用
rman
公用程式周圍的批次檔包裝函式來開始 Oracle 資料庫備份,並接著執行 cleanup.bat
Script 來刪除一些暫存檔案。Script rmanDB.bat
會接受單一指令行參數,其中指定了要執行的備份類型。因為存取資料庫是受限制的,所以應用程式需具有較高權限的使用者來執行備份。
...
$btype = $_GET['backuptype'];
$cmd = "cmd.exe /K \"c:\\util\\rmanDB.bat " . $btype . "&&c:\\util\\cleanup.bat\"";
system(cmd);
...
這裡的問題是,程式沒有對來自使用者的
backuptype
參數進行任何驗證。通常 Runtime.exec()
函數不會執行多重指令,但在此例中,程式首先執行 cmd.exe
shell,以在單一呼叫 Runtime.exec()
時執行多重指令。一旦叫用 Shell,Shell 就會允許執行多個由兩個 & 分隔的指令。如果攻擊者傳遞一個 "&& del c:\\dbms\\*.*"
形式的字串,那麼應用程式將會執行這個指令以及由此程式指定的其他指令。因為此應用程式本質的關係,所以應用程式必須要有權限才可與資料庫互動,這表示攻擊者插入的所有指令也都會使用這些權限進行運作。範例 3:以下程式碼來自一個 Web 應用程式,提供了可讓使用者在系統上更新密碼的介面。在特定網路環境中,更新密碼的部分程序是在
/var/yp
目錄下執行 make
指令。
...
$result = shell_exec("make");
...
這裡的問題是,程式沒有指定一個絕對的路徑,並且沒能在執行
Runtime.exec()
呼叫前清除它的環境變數。如果攻擊者能夠修改 $PATH
變數,指向名為 make
的惡意二進位碼,並使得程式在它們的環境中執行,那麼程式會載入此惡意的二進位碼,代替原來的程式碼。由於應用程式的特性,它需要特定的權限才能執行系統作業,這表示攻擊者的 make
將會在這些權限下執行,攻擊者可能會完全控制系統。References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 77, CWE ID 78
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [11] CWE ID 078
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [10] CWE ID 078
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [5] CWE ID 078, [25] CWE ID 077
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[6] Standards Mapping - FIPS200 SI
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3, Rule 21.21
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.3 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.8 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3), 12.3.5 File Execution Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 078
[35] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 078
[36] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 078
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[59] Standards Mapping - Web Application Security Consortium Version 2.00 OS Commanding (WASC-31)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 OS Commanding
desc.dataflow.php.command_injection
Abstract
執行來自不可信賴來源的指令或在不可信賴的環境中執行指令,會導致程式執行攻擊者偽裝的惡意指令。
Explanation
Command injection 弱點有以下兩種形式:
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此例中,我們著重於第一種情況,即攻擊者可控制執行指令的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1. 資料從不可信賴的來源進入應用程式。
2. 資料被用作代表應用程式所執行指令的字串,或字串的一部分。
3. 藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例:以下程式碼定義了 T-SQL 儲存的程序,當使用不可信賴的資料呼叫時,該程序會執行由攻擊者控制的系統指令。
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此例中,我們著重於第一種情況,即攻擊者可控制執行指令的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1. 資料從不可信賴的來源進入應用程式。
2. 資料被用作代表應用程式所執行指令的字串,或字串的一部分。
3. 藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例:以下程式碼定義了 T-SQL 儲存的程序,當使用不可信賴的資料呼叫時,該程序會執行由攻擊者控制的系統指令。
...
CREATE PROCEDURE dbo.listFiles (@path NVARCHAR(200))
AS
DECLARE @cmd NVARCHAR(500)
SET @cmd = 'dir ' + @path
exec xp_cmdshell @cmd
GO
...
References
[1] xp_cmdshell
[2] Standards Mapping - Common Weakness Enumeration CWE ID 77, CWE ID 78
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [11] CWE ID 078
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [10] CWE ID 078
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [5] CWE ID 078, [25] CWE ID 077
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[7] Standards Mapping - FIPS200 SI
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3, Rule 21.21
[11] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.3 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.8 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3), 12.3.5 File Execution Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[18] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2010 A1 Injection
[21] Standards Mapping - OWASP Top 10 2013 A1 Injection
[22] Standards Mapping - OWASP Top 10 2017 A1 Injection
[23] Standards Mapping - OWASP Top 10 2021 A03 Injection
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 078
[36] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 078
[37] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 078
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[60] Standards Mapping - Web Application Security Consortium Version 2.00 OS Commanding (WASC-31)
[61] Standards Mapping - Web Application Security Consortium 24 + 2 OS Commanding
desc.dataflow.sql.command_injection
Abstract
執行來自不可信賴來源的指令或在不可信賴的環境中執行指令,會導致程式執行攻擊者偽裝的惡意指令。
Explanation
Command injection 弱點有以下兩種形式:
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此例中,我們著重於第一種情況,即攻擊者可控制執行指令的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1. 資料從不可信賴的來源進入應用程式。
2. 資料被用作代表應用程式所執行指令的字串,或字串的一部分。
3. 藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例 1:以下來自於系統公用程式的程式碼使用系統屬性
範例 2:以下程式碼來自一個管理 Web 應用程式,可允許使用者使用
這裡的問題是,程式沒有對來自使用者的
範例 3:以下程式碼來自一個 Web 應用程式,提供了可讓使用者在系統上更新密碼的介面。在特定網路環境中,更新密碼的部分程序是在
這裡的問題是,程式沒有指定一個絕對的路徑,並且沒能在執行
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此例中,我們著重於第一種情況,即攻擊者可控制執行指令的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1. 資料從不可信賴的來源進入應用程式。
2. 資料被用作代表應用程式所執行指令的字串,或字串的一部分。
3. 藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例 1:以下來自於系統公用程式的程式碼使用系統屬性
APPHOME
來決定目錄的安裝位置,並且根據指定目錄的相對路徑來執行初始化 Script。
...
home = os.getenv('APPHOME')
cmd = home.join(INITCMD)
os.system(cmd);
...
Example 1
中的程式碼允許攻擊者藉由修改系統屬性 APPHOME
,來指向包含惡意版本的 INITCMD
的其他路徑,運用提升的應用程式權限來執行任意指令。因為程式不會驗證從環境中讀取的值,所以如果攻擊者可以控制系統屬性 APPHOME
的值,那麼他們就可以欺騙應用程式去執行惡意程式碼並取得對系統的控制。範例 2:以下程式碼來自一個管理 Web 應用程式,可允許使用者使用
rman
公用程式周圍的批次檔包裝函式來開始 Oracle 資料庫備份,並接著執行 cleanup.bat
Script 來刪除一些暫存檔案。Script rmanDB.bat
會接受單一指令行參數,其中指定了要執行的備份類型。因為存取資料庫是受限制的,所以應用程式需具有較高權限的使用者來執行備份。
...
btype = req.field('backuptype')
cmd = "cmd.exe /K \"c:\\util\\rmanDB.bat " + btype + "&&c:\\util\\cleanup.bat\""
os.system(cmd);
...
這裡的問題是,程式沒有對來自使用者的
backuptype
參數進行任何驗證。通常 Runtime.exec()
函數不會執行多重指令,但在此例中,程式首先執行 cmd.exe
shell,以在單一呼叫 Runtime.exec()
時執行多重指令。一旦叫用 Shell,Shell 就會允許執行多個由兩個 & 分隔的指令。如果攻擊者傳遞一個 "&& del c:\\dbms\\*.*"
形式的字串,那麼應用程式將會執行這個指令以及由此程式指定的其他指令。因為此應用程式本質的關係,所以應用程式必須要有權限才可與資料庫互動,這表示攻擊者插入的所有指令也都會使用這些權限進行運作。範例 3:以下程式碼來自一個 Web 應用程式,提供了可讓使用者在系統上更新密碼的介面。在特定網路環境中,更新密碼的部分程序是在
/var/yp
目錄下執行 make
指令。
...
result = os.system("make");
...
這裡的問題是,程式沒有指定一個絕對的路徑,並且沒能在執行
os.system()
呼叫前清除它的環境變數。如果攻擊者能夠修改 $PATH
變數,指向名為 make
的惡意二進位碼,並使得程式在它們的環境中執行,那麼程式會載入此惡意的二進位碼,代替原來的程式碼。由於應用程式的特性,它需要特定的權限才能執行系統作業,這表示攻擊者的 make
將會在這些權限下執行,攻擊者可能會完全控制系統。References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 77, CWE ID 78
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [11] CWE ID 078
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [10] CWE ID 078
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [5] CWE ID 078, [25] CWE ID 077
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[6] Standards Mapping - FIPS200 SI
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3, Rule 21.21
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.3 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.8 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3), 12.3.5 File Execution Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 078
[35] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 078
[36] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 078
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[59] Standards Mapping - Web Application Security Consortium Version 2.00 OS Commanding (WASC-31)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 OS Commanding
desc.dataflow.python.command_injection
Abstract
執行來自不可信賴來源的指令或在不可信賴的環境中執行指令,會導致程式執行攻擊者偽裝的惡意指令。
Explanation
Command injection 弱點有以下兩種形式:
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此例中,我們著重於第一種情況,即攻擊者可控制執行指令的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1. 資料從不可信賴的來源進入應用程式。
2. 資料被用作代表應用程式所執行指令的字串,或字串的一部分。
3. 藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例 1:以下來自於系統公用程式的程式碼使用系統屬性
範例 2:以下程式碼來自一個用於管理性的 Web 應用程式,可允許使用者使用
這裡的問題是,程式沒有對來自使用者的
範例 3:以下程式碼來自一個 Web 應用程式,提供了可讓使用者在系統上更新密碼的介面。在特定網路環境中,更新密碼的部分程序是在
這裡的問題是,程式沒有指定一個絕對的路徑,並且沒能在執行
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此例中,我們著重於第一種情況,即攻擊者可控制執行指令的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1. 資料從不可信賴的來源進入應用程式。
2. 資料被用作代表應用程式所執行指令的字串,或字串的一部分。
3. 藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例 1:以下來自於系統公用程式的程式碼使用系統屬性
APPHOME
來決定目錄的安裝位置,並且根據指定目錄的相對路徑來執行初始化 Script。
...
home = ENV['APPHOME']
cmd = home + INITCMD
Process.spawn(cmd)
...
Example 1
中的程式碼允許攻擊者藉由修改系統屬性 APPHOME
,來指向包含惡意版本的 INITCMD
的其他路徑,運用提升的應用程式權限來執行任意指令。因為程式不會驗證從環境中讀取的值,所以如果攻擊者可以控制系統屬性 APPHOME
的值,那麼他們就可以欺騙應用程式去執行惡意程式碼並取得對系統的控制。範例 2:以下程式碼來自一個用於管理性的 Web 應用程式,可允許使用者使用
rman
公用程式周圍的批次檔包裝函式來開始 Oracle 資料庫備份,並接著執行 cleanup.bat
Script 來刪除一些暫存檔案。Script rmanDB.bat
會接受單一指令行參數,其中指定了要執行的備份類型。因為存取資料庫是受限制的,所以應用程式需具有較高權限的使用者來執行備份。
...
btype = req['backuptype']
cmd = "C:\\util\\rmanDB.bat #{btype} &&C:\\util\\cleanup.bat"
spawn(cmd)
...
這裡的問題是,程式沒有對來自使用者的
backuptype
參數進行任何驗證。一旦透過 Kernel.spawn
叫用 Shell,Shell 就會允許執行多個由兩個 & 分隔的指令。如果攻擊者傳遞一個 "&& del c:\\dbms\\*.*"
形式的字串,那麼應用程式將會執行這個指令以及由此程式指定的其他指令。因為此應用程式本質的關係,所以應用程式必須要有權限才可與資料庫互動,這表示攻擊者插入的所有指令也都會使用這些權限進行運作。範例 3:以下程式碼來自一個 Web 應用程式,提供了可讓使用者在系統上更新密碼的介面。在特定網路環境中,更新密碼的部分程序是在
/var/yp
目錄下執行 make
指令。
...
system("make")
...
這裡的問題是,程式沒有指定一個絕對的路徑,並且沒能在執行
Kernel.system()
呼叫前清除它的環境變數。如果攻擊者能夠修改 $PATH
變數,指向名為 make
的惡意二進位碼,並使得程式在它們的環境中執行,那麼程式會載入此惡意的二進位碼,代替原來的程式碼。由於應用程式的特性,它需要特定的權限才能執行系統作業,這表示攻擊者的 make
將會在這些權限下執行,攻擊者可能會完全控制系統。References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 77, CWE ID 78
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [11] CWE ID 078
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [10] CWE ID 078
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [5] CWE ID 078, [25] CWE ID 077
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[6] Standards Mapping - FIPS200 SI
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3, Rule 21.21
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.3 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.8 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3), 12.3.5 File Execution Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 078
[35] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 078
[36] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 078
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[59] Standards Mapping - Web Application Security Consortium Version 2.00 OS Commanding (WASC-31)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 OS Commanding
desc.dataflow.ruby.command_injection
Abstract
執行包含未經驗證使用者輸入的指令會導致應用程式淪為攻擊者執行惡意指令的工具。
Explanation
Command injection 弱點有以下兩種形式:
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此例中,我們著重於第二種情況,即攻擊者能夠藉由變更環境變數或預先在搜尋路徑中輸入可執行的惡意內容,進而變更指令的意義的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1.攻擊者修改應用程式的環境。
2.應用程式沒有指定絕對路徑,或沒有驗證所執行的二位元碼就執行指令。
3.藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例:以下程式碼來自一個 Web 應用程式,提供了可讓使用者在系統上更新密碼的介面。
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此例中,我們著重於第二種情況,即攻擊者能夠藉由變更環境變數或預先在搜尋路徑中輸入可執行的惡意內容,進而變更指令的意義的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1.攻擊者修改應用程式的環境。
2.應用程式沒有指定絕對路徑,或沒有驗證所執行的二位元碼就執行指令。
3.藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例:以下程式碼來自一個 Web 應用程式,提供了可讓使用者在系統上更新密碼的介面。
def changePassword(username: String, password: String) = Action { request =>
...
s'echo "${password}" | passwd ${username} --stdin'.!
...
}
References
[1] IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 77, CWE ID 78
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [11] CWE ID 078
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [10] CWE ID 078
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [5] CWE ID 078, [25] CWE ID 077
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[7] Standards Mapping - FIPS200 SI
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3, Rule 21.21
[11] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.3 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.8 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3), 12.3.5 File Execution Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[18] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2010 A1 Injection
[21] Standards Mapping - OWASP Top 10 2013 A1 Injection
[22] Standards Mapping - OWASP Top 10 2017 A1 Injection
[23] Standards Mapping - OWASP Top 10 2021 A03 Injection
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 078
[36] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 078
[37] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 078
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[60] Standards Mapping - Web Application Security Consortium Version 2.00 OS Commanding (WASC-31)
[61] Standards Mapping - Web Application Security Consortium 24 + 2 OS Commanding
desc.dataflow.scala.command_injection
Abstract
執行來自不可信賴來源的指令或在不可信賴的環境中執行指令,會導致程式執行攻擊者偽裝的惡意指令。
Explanation
Command injection 弱點有以下兩種形式:
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此例中,我們著重於第一種情況,即攻擊者可控制執行指令的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1. 資料從不可信賴的來源進入應用程式。
2. 資料被用作代表應用程式所執行指令的字串,或字串的一部分。
3. 藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例 1:以下來自於系統公用程式的程式碼使用系統屬性
範例 2:以下程式碼來自一個管理 Web 應用程式,可允許使用者使用
這裡的問題是,程式沒有對來自使用者的
範例 3:以下程式碼來自一個 Web 應用程式,提供了可讓使用者在系統上更新密碼的介面。在特定網路環境中,更新密碼的部分程序是在
這裡的問題是,程式沒有指定一個絕對的路徑,並且沒能在執行
- 攻擊者可以篡改程式執行的指令:攻擊者直接控制指令內容。
- 攻擊者可以篡改指令執行的所在環境:攻擊者間接控制指令代表的意義。
在此例中,我們著重於第一種情況,即攻擊者可控制執行指令的可能性。此類型的 Command injection 弱點會在以下情況中出現:
1. 資料從不可信賴的來源進入應用程式。
2. 資料被用作代表應用程式所執行指令的字串,或字串的一部分。
3. 藉由執行指令,應用程式給予攻擊者原本不該擁有的權限或能力。
範例 1:以下來自於系統公用程式的程式碼使用系統屬性
APPHOME
來決定其安裝目錄,並且根據指定目錄的相對路徑來執行初始化 Script。
...
Dim cmd
Dim home
home = Environ$("AppHome")
cmd = home & initCmd
Shell cmd, vbNormalFocus
...
Example 1
中的程式碼允許攻擊者藉由修改系統屬性 APPHOME
,來指向包含惡意版本的 INITCMD
的其他路徑,運用提升的應用程式權限來執行任意指令。因為程式不會驗證從環境中讀取的值,所以如果攻擊者可以控制系統屬性 APPHOME
的值,那麼他們就可以欺騙應用程式去執行惡意程式碼並取得對系統的控制。範例 2:以下程式碼來自一個管理 Web 應用程式,可允許使用者使用
rman
公用程式周圍的批次檔包裝函式來開始 Oracle 資料庫備份,並接著執行 cleanup.bat
Script 來刪除一些暫存檔案。Script rmanDB.bat
會接受單一指令行參數,其中指定了要執行的備份類型。因為存取資料庫是受限制的,所以應用程式需具有較高權限的使用者來執行備份。
...
btype = Request.Form("backuptype")
cmd = "cmd.exe /K " & Chr(34) & "c:\util\rmanDB.bat " & btype & "&&c:\util\cleanup.bat" & Chr(34) & ";
Shell cmd, vbNormalFocus
...
這裡的問題是,程式沒有對來自使用者的
backuptype
參數進行任何驗證。一旦叫用 Shell,Shell 就會允許執行多個由兩個 & 分隔的指令。如果攻擊者傳遞一個 "&& del c:\\dbms\\*.*"
形式的字串,那麼應用程式將會執行這個指令以及由此程式指定的其他指令。因為此應用程式本質的關係,所以應用程式必須要有權限才可與資料庫互動,這表示攻擊者插入的所有指令也都會使用這些權限進行運作。範例 3:以下程式碼來自一個 Web 應用程式,提供了可讓使用者在系統上更新密碼的介面。在特定網路環境中,更新密碼的部分程序是在
/var/yp
目錄下執行 make
指令。
...
$result = shell_exec("make");
...
這裡的問題是,程式沒有指定一個絕對的路徑,並且沒能在執行
Runtime.exec()
呼叫前清除它的環境變數。如果攻擊者能夠修改 $PATH
變數,指向名為 make
的惡意二進位碼,並使得程式在它們的環境中執行,那麼程式會載入此惡意的二進位碼,代替原來的程式碼。由於應用程式的特性,它需要特定的權限才能執行系統作業,這表示攻擊者的 make
將會在這些權限下執行,攻擊者可能會完全控制系統。References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 77, CWE ID 78
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [11] CWE ID 078
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [10] CWE ID 078
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [5] CWE ID 078, [25] CWE ID 077
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[6] Standards Mapping - FIPS200 SI
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3, Rule 21.21
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.3 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.8 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3), 12.3.5 File Execution Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 078
[35] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 078
[36] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 078
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002510 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[59] Standards Mapping - Web Application Security Consortium Version 2.00 OS Commanding (WASC-31)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 OS Commanding
desc.dataflow.vb.command_injection