CWE-78 OS Command Injection

Improper neutralization of special elements used in an OS command allows attackers to execute unexpected, dangerous commands directly on the operating system.

OS Command Injection

Can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system.

Remote code execution.

Can allow the attacker to specify commands that normally would not be accessible.

Can allow alternate commands with privileges that the attacker does not have.

Privilege escalation from a standard user to another user, or an administrator.

Exacerbated if the compromised process does not follow the principle of least privillege.

The attacker-controlled commands may run with special system privileges increasing the damage.

Potential attack surface is broad

Most languages have exec capabilities: system in PHP, Python, C, C++

Python: os.system("command"), C: exec or system.

Filenames can be used to store commands (using shell expansions).

Some Web technologies (CGI) may have server side includes with exec.

Some databases include exec alike commands (Oracle, MSSQL):

DBMS_SCHEDULER.CREATE_JOB( job_name   => ...,
                           job_type   => 'EXECUTABLE',
                           job_action => '...',
                           )

PreviousSQL Injection - Avoiding NextCommand Override

Last updated 5 months ago