OS command injection is a security vulnerability that occurs when an attacker manipulates a system by injecting arbitrary operating system commands into an application. These commands are then executed on the host server, potentially leading to severe consequences such as data theft, system compromise, or unauthorized access.
How OS Command Injection Happens
The vulnerability arises when an application:
1. Accepts input from users (e.g., form fields, query strings).
2. Passes this input directly into an operating system command without proper sanitization or validation.
If an attacker crafts malicious input that includes valid OS commands, the application may execute these commands with the same privileges as the application process.
Example
Consider a web application that uses a user-provided filename to list files in a directory:
import os
def list_files(filename):
os.system(f"ls {filename}")
An attacker could input filename; rm -rf / to execute a destructive command:
ls ; rm -rf /
Consequences of OS Command Injection.
• Data breach: Attacker can access sensitive files or database records.
• Denial of Service (DoS): System can be rendered inoperable (e.g., by deleting critical files).
• Privilege escalation: Exploiting vulnerabilities to gain higher-level access.
• Remote control: Attacker may install malware or gain persistent access to the system.
Prevention
1. Avoid direct OS command execution: Use safer alternatives, such as built-in functions or libraries (e.g., subprocess.run() with controlled parameters in Python).
2. Input validation: Validate and sanitize user input rigorously to ensure only expected data is accepted.
3. Use parameterized APIs: Avoid string concatenation when interacting with system-level commands.
4. Apply the principle of least privilege: Limit the application’s access rights to minimize damage if exploited.
5. Implement security controls: Use tools like Web Application Firewalls (WAF) to monitor and block malicious inputs.
Real-Life Example
The infamous Shellshock vulnerability exploited OS command injection flaws in the Bash shell to execute arbitrary commands on vulnerable systems.