Command Injection, its exploitation techniques, and prevention measures

Introduction

Command injection is a severe security vulnerability that allows attackers to execute unauthorized commands on a target system. In applications, command injection can occur when untrusted user input is improperly handled. This article dives deeper into command injection, explores various types of vulnerabilities, provides sophisticated code examples to demonstrate their exploitation, and presents comprehensive prevention measures to secure your applications by using Typescript code.

Understanding Command Injection

Command injection arises when an application allows unvalidated user input to be directly executed as a system command. Attackers exploit this vulnerability to inject and execute arbitrary commands within the host operating system. Applications, especially those interacting with the command-line interface or shell, are susceptible to command injection attacks if input validation and sanitization measures are inadequate.

Types of Command Injection

1. Basic Command Injection: It occurs when untrusted user input is concatenated into a command string without proper sanitization or validation.
2. Blind Command Injection: It occurs when an application does not provide any direct output that reveals the result of the injected command. Attackers use techniques to infer the outcome indirectly.

Exploiting Command Injection: Advanced Examples

To illustrate the potential risks associated with advanced command injection vulnerabilities, let’s explore two sophisticated examples.

Example 1: Exploiting Basic Command Injection

Consider a TypeScript application that performs a ping test using user-supplied input:

import { exec } from 'child_process';
const targetHost = req.query.host;
const command = `ping -c 4 ${targetHost}`;
exec(command, (error, stdout, stderr) => {
  if (error) {
    console.error(`Command execution error: ${error}`);
    return;
  }
  console.log(`Ping results:\n${stdout}`);
});

In the above code, the targetHost parameter is directly concatenated into the command string. An attacker can exploit this vulnerability by injecting additional commands as part of the targetHost value:

localhost; cat /etc/passwd

This payload would execute the injected command (cat /etc/passwd), resulting in the disclosure of sensitive system information.

Example 2: Exploiting Blind Command Injection

Consider a TypeScript application that performs a DNS lookup using user-supplied input:

import { exec } from 'child_process';
const targetDomain = req.query.domain;
const command = `nslookup ${targetDomain}`;
exec(command, (error, stdout, stderr) => {
  if (error) {
    console.error(`Command execution error: ${error}`);
    return;
  }
  console.log(`DNS lookup results:\n${stdout}`);
});

In the above code, the targetDomain parameter is directly interpolated into the command string. An attacker can exploit this vulnerability to inject arbitrary commands and infer the result indirectly:

localhost; ping -c 10 192.168.0.1

This payload injects the command ping -c 10 192.168.0.1 after the semicolon. While the output of the nslookup command doesn't reveal the result of the injected command, the attacker can infer the outcome by observing the ping latency to the specified IP address.

Preventing Command Injection

To effectively prevent command injection vulnerabilities in your TypeScript applications, implement the following comprehensive mitigation strategies:

1. Strict Input Validation:

• Validate and sanitize all user-supplied input to ensure it conforms to expected formats and patterns.
• Employ input validation libraries or custom validation routines to filter out potentially malicious input.

2. Parameterized Queries and Prepared Statements:

• Use parameterized queries or prepared statements when interacting with databases to prevent SQL injection vulnerabilities, which can indirectly lead to command injection.

3. Command Whitelisting:

• Implement a command whitelist to restrict the allowed commands and arguments, rejecting any unauthorized or potentially dangerous input.

4. Shell Escape and Sanitization:

• Utilize shell escape functions or libraries (e.g., shell-escape or shell-quote) to properly sanitize and escape user input when constructing command strings.

import { exec } from 'child_process';
import { quote } from 'shell-quote';
const targetDomain = req.query.domain;
const sanitizedDomain = quote([targetDomain]);
const command = `nslookup ${sanitizedDomain}`;
exec(command, (error, stdout, stderr) => {
  if (error) {
    console.error(`Command execution error: ${error}`);
    return;
  }
  console.log(`DNS lookup results:\n${stdout}`);
});

5. Principle of Least Privilege:

• Ensure that the application’s execution environment has limited privileges to minimize the potential impact of command injection attacks.

6. Regular Security Audits and Updates:

• Conduct thorough security audits to identify and remediate vulnerabilities, including command injection.
• Keep all dependencies up to date, as new releases often address known vulnerabilities.

Conclusion

Command injection vulnerabilities pose serious risks. By understanding the various types of command injection and implementing robust preventive measures, you can fortify your applications against potential exploits. Always prioritize input validation, employ parameterized queries, and adhere to the principle of least privilege. Regular security audits and staying informed about the latest security practices are essential for maintaining the integrity and security of your applications. Safeguard your code and protect your users from command injection attacks.