Notes - MCS
Analysis and Exploration of Vulnerabilities
Notes - MCS
Analysis and Exploration of Vulnerabilities
  • Analysis and Exploration of Vulnerabilities
  • Vulnerabilities
    • Vulnerabilities
      • CIA Triad
      • Vulnerability Sources
    • Vulnerability Tracking
    • Vulnerability Disclosure
  • Vulnerability Assessment of Networked Systems
    • Vulnerability Research
    • Vulnerability Assessment
    • Penetration Test
      • Scope
    • Types of Assessments
    • Vulnerability Management Life Cycle
  • Enumeration and Information Leakage
    • Network access
    • Information leakage
    • Errors
    • Web Sources and Support Files
    • Cookies
    • Ports
    • Banners
    • OS Fingerprinting
  • Injection
    • CWE-74
    • How it works
    • Common Pitfalls
    • CWE-89 SQL Injection
    • Using SQL
    • Things to consider
    • The NULL plate
    • SQLi types
    • SQL Injection - Avoiding
    • CWE-78 OS Command Injection
    • Command Override
    • Argument Exploitation
    • GTFOBins and LOLBAS
    • Environmental Variables
    • Parameter Expansion
    • Code Injection - CWE-94
    • Avoiding OS Injection
  • Broken Authentication
    • OWASP A2
    • HTTP Basics
    • HTTP Communication
    • Authentication
    • Authentication Flow State
    • Referer Header
    • SESSION ID
    • Cookies (RFC 6265)
    • JWT - JSON Web Tokens
  • XSS Cross Site Scripting
    • Prevalence and Detectability
    • Reflected XSS
    • Stored XSS
    • DOM XSS
    • Cross Site Request Forgery
    • Avoiding XSS
    • Same Origin Policy
  • Concurrency
    • Concurrency
    • CWE-361 - 7PK - Time and State
    • Basic Time Related CWEs
      • CWE-362 – Race Condition
    • Serializability
    • Database ACID characteristic
    • State Related CWEs
    • Basic Side Effects Related CWEs (Covert Channel)
    • Covert Timing Channel
    • Meltdown Type
  • Buffers
    • Buffer Overflow
    • Popularity decline
    • Potentially Vulnerable Software
    • Dominant prevalence
    • Vulnerabilities in languages (mostly C/C++)
    • Why? Memory Structure 101
    • CWE-120 Classic Overflow
      • Practical Examples
    • Stack Based Vulnerabilities
    • Stack Smashing
    • Countermeasures
    • ROP
Powered by GitBook
On this page
  1. Injection

Avoiding OS Injection

Never execute system commands from an application.

  • Creating an application that exploits existing tools allows faster development, but the risk is gigantic.

Be careful about imported dependencies, if you need to execute system commands from an application, process all inputs before the command executes and assume a potential vulnerability.

Strategies:

  • Only allow a subset of commands and arguments.

  • Forbid specific commands or characters.

  • Escape special characters.

It is complex to consider all possible situations for the environments where an application may execute. Loopholes may appear in the future.

  • regex frequently only parses the first line (text up to 0x20) and ignores the rest.

  • rm can be written as r’m’ or r”m” or r\m or $'\x72\x6d’ or $(xxd -r -p <<< 726d) or xargs -I {} bash -c '{}m' <<< r.

Drop privileges to a non-privileged user (nobody).

  • The user should only have access to its work files.

    • Difficult to implement as there are many world-readable/executable files.

  • This will limit the impact on the permissions associated with the user.

Isolate execution using virtualization/containers/sandboxes.

  • Will limit the impact to the virtualized/constrained environment.

  • Virtual Machines provide broad isolation but still may present a wide surface.

  • Containers typically provide less attack surface (less tools available).

  • Sandboxes can be very restrictive (SELinux, AppArmor...).

Do not rely on well-known mechanisms such as the PATH.

  • Use absolute paths for all commands.

Last updated 1 year ago