Injection

Presentation (powerpoint)
By: Kumar Pandya & Tapan Shah

Overview

Injection flaws allow attackers to relay malicious code through an application to another system.
Any application that allows execution of external commands such as system calls, shell commands, and SQL requests is susceptible to an Injection Attack.

Code Injection vs Command Injection

Command Injection is a type of attack where the attacker's goal is to execute arbitrary commands on the host OS via a vulnerable application.
For example, exploiting a buffer overflow vulnerability that spawns a shell to execute arbitrary OS commands is an example of Command Injection.
This is different from Code Injection where the attacker sends input with the goal of exploiting the syntax of the targetted interpretter, without the necessity of executing OS commands.

Most web applications injection vulnerabilities are code injection vulnerabilities.
Code Injection, though, often leads to Command Injection.
In fact, many types of attacks, including SQL injection, have command injection as an end primary goal to gaining control of the server.

Essentially command injection often stems from code injection, but it doesn't always have to.
See Demos for examples of code injection, code injection leading to command injection, and command injection that does not stem from code injection.

Injection Types

Mitigations

Demos

Installation Instructions

All the demonstration are within a custom VM accesible by all students on dh2020pc00 machine.
  1. Grab a copy of CustomUbuntu804Server.zip from /virtual/injection/ directory on the dh2020pc00 machine.
    Ex: scp $USER@dh2020pc00.utm.utoronto.ca:/virtual/injection/CustomUbuntu804Server.zip /virtual/$USER
    cd /virtual/$USER
    unzip CustomUbuntu804Server.zip
  2. Run Vmplayer, open a VM you just unzipped, USE Nat or VMNET8 for Network Adapter setting
  3. Login with username root and password password
  4. Note down the ipaddress shown (/sbin/ifconfig should show you the ip address if you missed it).
    We will refer to $ipaddress as the ipaddress that showed up for you, for the subsequent steps.

XML Injection Demo (Code Injection)

  1. On your host browser, go to $ipaddress/xmlvuln.php
  2. Add the item "Buy more milk" to the todo list
  3. Exercise A: Can you add an item that will break the application?
  4. Exercise B: Rewrite xmlvuln.php to make it secure against XML Injection

Shell Injection Demo (Code Injection leading to Command Injection)

  1. On your host browser, go to $ipaddress/whois.php
  2. Try inputting a domain for whois lookup, like yahoo.ca (Note: this will only work if you have outgoing internet connection)
  3. What happens when you add semicolon at the end? Is there an error?
  4. Try the input ;uname -a in the whois lookup - what did it output?
  5. Exercise: Rewrite whois.php to make it secure against Shell Injection

Pure Command Injection

Suppose you, as a hacker, have an account on the system with normal user permission.
You would like to be able to inject arbitrary OS commands as root - more specifically, say you want to print out the contents of /etc/shadow file
You try cat /etc/shadow but you get permission denied! what do you do?

Suppose you discovered that there is a program /vulnerable/account that is a setuid program (i.e the program runs as root), and you also have access to the source code /vulnerable/account.c
Upon investigation of the source code, you realize that the account program calls the external cat binary to display a user's balance.
Now you have all you need to make an exploit that will let you inject arbitrary OS Commands, without exploiting any code injection vulnerabilities! How so?

  1. On the VM, su hacker
  2. bash
  3. /vulnerable/account test - what is the output?
  4. cd /home/hacker/bin
  5. ls
  6. ./cat - what is the output? Take a look at the source code in cat.c
  7. export PATH=/home/hacker/bin:$PATH - What does this do? Why do we do this?
  8. echo $PATH
  9. /vulnerable/account test - what was the output this time? How did that happen!

Quiz

  1. What's the difference between Code Injection and Command Injection?
  2. For the following questoin, pick the best answer.

    Shell Injection is an example of:

    1. Code Injection
    2. Code Injection leading to Command Injection
    3. Command Injection
    4. A & B
    5. B & C
    6. A, B, & C
    7. None, this is a trick question! is it really though? ;)

  3. What is LDAP? In what sense is LDAP Injection similar to SQL injection?
  4. List 5 types of code injection types and mitigations against them
  5. Give an example of when code injection via sql injection would lead to command injection
  6. Give an example of Command Injection that does not stem from code injection
  7. What is the difference between whitelisting and blacklisting? Which is better? Why?
  8. Describe the priciple of least privilege and give an example of how you would apply it to prevent injection flaws
  9. Bonus: Is P=NP?

References