Top

International Journal of Information Security

Published in:

01-02-2018 | Regular Contribution

Commix: automating evaluation and exploitation of command injection vulnerabilities in Web applications

Authors: Anastasios Stasinopoulos, Christoforos Ntantogian, Christos Xenakis

Published in: International Journal of Information Security | Issue 1/2019

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Despite the prevalence and the high impact of command injection attacks, little attention has been given by the research community to this type of code injections. Although there are many software tools to detect and exploit other types of code injections, such as SQL injections or cross-site scripting, there is no dedicated and specialized software that detects and exploits, automatically, command injection vulnerabilities. This paper proposes an open-source tool that automates the process of detecting and exploiting command injection flaws on Web applications, named as COMMand Injection eXploiter (Commix). We present and elaborate on the software architecture and detection engine of Commix as well its extra functionalities that greatly facilitate penetration testers and security researchers in the detection and exploitation of command injection vulnerabilities. Moreover, based on the knowledge and the practical experience gained from the development of Commix, we propose and analyze new identified techniques that perform side-channel exploitation for command injections allowing an attacker to indirectly deduce the output of the executed command (i.e., also known as blind command injections). Furthermore, we evaluate the detection capabilities of Commix, by performing experiments against various applications. The experimental results show that Commix presents high detection accuracy, while at the same time false positives are eliminated. Finally and more importantly, we analyze several 0-day command injection vulnerabilities that Commix detected in real-world applications. Despite its short release time, Commix has been embraced by the security community and comes preinstalled in many security-oriented operating systems including the well-known Kali Linux.

previous article Design and implementation of Negative Authentication System

next article Differential audio analysis: a new side-channel attack on PIN pads

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

OWASP, 2013 Top 10 List, https://www.owasp.org/index.php/Top_10_2013-Top_10

OWASP, SQL injection, https://www.owasp.org/index.php/SQL_Injection

OWASP, Cross-site scripting (XSS), https://en.wikipedia.org/wiki/Cross-site_scripting

Klein, A.: Blind XPath injection. https://dl.packetstormsecurity.net/papers/bypass/Blind_XPath_Injection_20040518.pdf

Alonso, C., Bordn, R., Antonio, G.: y Marta Beltrn Speakers, LDAP injection & blind LDAP injection. BlackHat, New York (2009)

OWASP, Command injection, https://www.owasp.org/index.php/Command_Injection

How the internet of things could kill you, http://www.tomsguide.com/us/iot-attack-physical-impact,news-19182.html

Is IoT in the smart home giving away the keys to your kingdom?, http://www.symantec.com/connect/blogs/iot-smart-home-giving-away-keys-your-kingdom

Wired, The internet of things is wildly insecure—and often unpatchable. http://www.wired.com/2014/01/theres-no-good-way-to-patch-the-internet-of-things-and-thats-a-huge-problem

10.

Shellshock: a deadly new vulnerability that could lay waste to the internet. http://www.extremetech.com/computing/190959-shellshock-a-deadly-new-vulnerability-that-could-lay-waste-to-the-internet

11.

Hackers are already using the shellshock bug to launch botnet attacks. http://www.wired.com/2014/09/hackers-already-using-shellshock-bug-create-botnets-ddos-attacks/

12.

Vulnerability in citrix access gateway legacy authentication support could result in command injection. http://support.citrix.com/article/CTX127613

13.

Symantec web gateway remote command execution. http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=1353&signatureSubId=0

14.

IBM Tealeaf CX passive capture application is vulnerable to a remotely exploitable OS command injection and local file inclusion, https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_tealeaf_cx_passive_capture_application_is_vulnerable_to_a_remotely_exploitable_os_command_injection_and_local_file_inclusion_these_vulnerabilities_may_be_exploited_to_compromise_the_host_system?lang=en_us

15.

Sophos web protection appliance sblistpack command injection exploit. http://www.coresecurity.com/exploit/sophos-web-protection-appliance-sblistpack-command-injection-exploi

16.

Papagiannis, I., Migliavacca, M., Pietzuch, P.: PHP Aspis: using partial taint tracking to protect against injection attacks. In: WebApps ’11: Proceedings of the 2nd USENIX Conference on Web Application Development, June 15–16, 2011, Portland, Oregon, USA (2011)

17.

Bravenboer, M., Dolstra, E. Visser, E.: Preventing injection attacks with syntax embeddings. In: ’GPCE ’07: Proceedings of the 6th International Conference on Generative Programming and Component Engineering’, ACM, New York, NY, USA, pp. 3–12 (2007)

18.

Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: POPL ’06: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, ACM Press, New York, NY, USA, pp. 372–382 (2006)

19.

Lin, J.-C., Chen, J.-M.: The automatic defense mechanism for malicious injection attack. In: IEEE, 7th IEEE International Conference on Computer and Information Technology, 2007 (CIT 2007), Fukushima, Japan (2007)

20.

Pietraszek, T., VandenBerghe, C.: Defending against injection attacks through context-sensitive string evaluation. In: Proceedings of 8th International Conference on Recent Advances in Intrusion Detection (RAID) (2005)

21.

OWASP, Testing for command injection (OTG-INPVAL-013). https://www.owasp.org/index.php/Testing_for_Command_Injection_%28OTG-INPVAL-013%29

22.

ExploitDB, Offensive security exploit database archive. https://www.exploit-db.com/

23.

PHP.net, shell_exec - Execute command via shell and return the complete output as a string. http://php.net/manual/en/function.shell-exec.php

24.

PHP.net, passthru—Execute an external program and display raw output. http://php.net/manual/en/function.passthru.php

25.

PHP.net, system—Execute an external program and display the output. http://php.net/manual/en/function.system.php

26.

Privoxy proxy, http://www.privoxy.org/

27.

Kali Linux, Tools, http://tools.kali.org/exploitation-tools/commix

28.

Data exfiltration on Linux, http://blog.ring-zer0.com/2014/02/data-exfiltration-on-Linux.html

29.

Exfiltrate data using the old ping utility trick, http://blog.curesec.com/article/blog/23.html

30.

Damn Vulnerable Web Application (DVWA), http://www.dvwa.co.uk

31.

Extremely buggy web app (bWAPP), http://www.itsecgames.com/

32.

OWASP, Mutillidae.https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project

33.

Pentester Lab, Web For Pentester, https://www.vulnhub.com/entry/pentester-lab-web-for-pentester,71/

34.

Pentester Academy, Command Injection ISO: 1, https://www.vulnhub.com/entry/command-injection-iso-1,81/

35.

TrustwaveSpiderLabs: MCIR (ShelLOL). https://github.com/SpiderLabs/MCIR/tree/master/shellol

36.

Petbot, Petbot-device client side code. https://github.com/petbot/petbot-device

37.

Tantium generator. https://github.com/Tantium/Generator

38.

Tantium generator (online). http://algorithm.tantium.org

39.

RpiIRRemote. https://github.com/offbye/RpiIRRemote

40.

‘Red’ alert. https://github.com/sachinio/redalert

41.

Microsoft, Microsoft PowerBI. https://powerbi.microsoft.com/

42.

LIGHT. https://github.com/lasse-it/LIGHT

43.

RobotRoverV5. https://github.com/BenderRobot/RobotRoverV5

44.

EEG-Based-BCI. https://github.com/architshukla/EEG-Based-BCI/

45.

iTrace. https://github.com/blobaugh/iTrace

46.

wsn-ip-interoperability. https://github.com/gtrdp/wsn-ip-interoperability

47.

raspberry-pi-camera-control-php. https://github.com/BelmonduS/raspberry-pi-camera-control-php

48.

wp-plugin-grunt. https://github.com/michaelbontyes/wp-plugin-grunt

49.

Linux-webui. https://github.com/virajchitnis/Linux-webui

50.

SMRTControl. https://github.com/SmartHomes473/SMRTControl

51.

Wake-on-LAN (WOL) plugin. https://github.com/dmacias72/wol

52.

Changeling. https://github.com/princesspiresearch/Changeling

53.

PHP.net, print_r - Prints human-readable information about a variable. http://php.net/manual/en/function.print-r.php

54.

Media-management-system. https://github.com/dinushaw/Media-Management-System

55.

DHCP monitor. https://github.com/laigon/dhcp

56.

openvpnas. https://github.com/sabaitechnology/openvpnas/

57.

Sabai Technology, VPN accelerator. http://www.sabaitechnology.com/vpn-accelerator-1/

58.

Stasinopoulos, A., Ntantogian, C., Xenakis, C.: The weakest link on the network: exploiting ADSL routers to perform cyber-attacks. In: Proceedings of 13th IEEE International Symposium on Signal Processing and Information Technology (ISSPIT 2013), Athens, Greece (2013)

59.

PHP.net, escapeshellarg—Escape a string to be used as a shell argument. http://php.net/manual/en/function.escapeshellarg.php

60.

PHP.net, escapeshellcmd—Escape shell metacharacters. http://ie2.php.net/manual/en/function.escapeshellcmd.php

61.

Commix. https://github.com/stasinopoulos/Commix

62.

PHP multibyte shell command escaping bypass vulnerability. http://www.securityfocus.com/archive/1/491687

63.

Stasinopoulos, A., Ntantogian, C., Xenakis, C.: Commix: detecting and exploiting command injection flaws. BlackHat, London (2015)

64.

PHP extension and application repository—net library. https://pear.php.net/packages.php?catpid=16&catname=Networking

65.

WAP, Web application protection. http://awap.sourceforge.net/

66.

Command injection test environment. https://github.com/commixproject/commix-testbed

67.

AWStats referrer arbitrary command execution vulnerability. https://tools.cisco.com/security/center/viewAlert.x?alertId=9578

68.

Stuttard, D., Pinto, M.: The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws, 2nd edn. Wiley, Hoboken (2011)

69.

PHP-Charts v1.0 PHP code execution vulnerability. https://www.rapid7.com/db/modules/exploit/unix/webapp/php_charts_exec

70.

D-Link cookie command execution. https://www.rapid7.com/db/modules/exploit/linux/http/dlink_dspw110_cookie_noauth_exec

71.

Command injection without spaces. www.betterhacker.com/2016/10/command-injection-without-spaces.html

Title: Commix: automating evaluation and exploitation of command injection vulnerabilities in Web applications
Authors: Anastasios Stasinopoulos
Christoforos Ntantogian
Christos Xenakis
Publication date: 01-02-2018
Publisher: Springer Berlin Heidelberg
Published in: International Journal of Information Security / Issue 1/2019
Print ISSN: 1615-5262
Electronic ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-018-0399-z

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 1/2019

Reverse engineering Java Card and vulnerability exploitation: a shortcut to ROM

Defeating SQL injection attack in authentication security: an experimental study

Differential audio analysis: a new side-channel attack on PIN pads

Design and implementation of Negative Authentication System

Deployment and performance evaluation of mobile multicoupon solutions

Premium Partner