What is OS command injection?
Operating system (OS) command injection is one of the most common web application security vulnerabilities around. It allows a threat actor to run malicious shell commands by targeting an application weakness with improper input validation, such as a buffer overflow.
Attackers can then execute commands on the exposed system to gain full access to it. This vulnerability can also enable bad actors to steal valuable data or perform other malicious activities.
How does OS command injection work?
OS command injection is performed with the use of arbitrary commands into the server command line.
Attackers inject malicious data and commands into the server's command line, which communicates to the system shell through forms, cookies, and HTTP headings.
This type of attack often occurs without the direct user's knowledge, as attackers are able to conduct it virtually undetected until full execution.
Below, you’ll find the common pathway through which threat actors exploit vulnerabilities with OS command injection.
Malicious attackers identify a critical security exploit within a web application. With this exploit, they have the ability to insert malicious code into the coding command line. A security vulnerability like this allows attackers to access any functionality that the web application provides (even without direct access to the physical OS running the application).
Once the initial access has been gained by the threat actor, they can alter randomly generated website content on the web page by using an HTML code injection from arbitrary command coding. The HTML code uses input mechanisms (such as a public site facing form field or website cookies for the page) to generate an output from its input commands.
After the code is inserted into the targeted web page through the site map, the browser interprets this code and refreshes it with the output results. This method permits the attacker to run customized commands to gain access to the OS server from the website. The gained access then allows the attacker to navigate the system and network of the user's computer, their connected networks, and the compromised system network through this backdoor exploit.
Click the video for a quick tutorial
Key examples of OS command injection:
Fortinet FortiOS (CVE-2021-44171)
NOKIA 1350 (CVE-2022-39819)
Aruba (CVE-2022-37893)
CentreCOM (CVE-2022-38094)
Nintendo (CVE-2022-36381)
Impact of OS command injection
When an OS command injection attack occurs, the disruption caused can create a great deal of impact on users within an organization. Often, OS command injections allow threat actors to access and take advantage of system and network resources to leverage against website owners and businesses alike.
For example, if an SQL database is hosted on the affected machine, then all of its contents will be exposed during an OS command injection attack. This is because it gives attackers complete access to everything running on their target's host, which can include their databases.
Additionally, these types of exploits create an opportunity for attackers to take down entire networks by launching a distributed denial of service (DDoS) type of attack. The damage and disruption to user authorizations and security protections an organization has in place can be costly to mitigate.
How to mitigate OS command injection vulnerabilities
The most effective way to mitigate or eliminate exposure to OS command injection vulnerabilities is through regular security updates. Automox recommends that you take these four steps to effectively mitigate exposure to these vulnerabilities:
1. Stay up-to-date on the latest vulnerabilities
First, make sure you have robust vulnerability detection and scanning capabilities to identify, categorize and manage incoming vulnerabilities. Such vulnerabilities can include unsecured system configurations or missing patches, as well as other security-related updates in the systems connected to the enterprise network directly – remotely or in the cloud.
From Rapid7 and Tenable to Qualys, there are many powerful vulnerability scanning vendors to choose from. Make sure they’re integrated within your tech stack and work with your patch solution, such as Automox, for full-cycle vulnerability remediation to quickly take action against threats, whether that’s a patch, a system reconfiguration, or the removal of vulnerable software.
2. Use a single solution for patching
When you have multiple OSes and third-party software installed across on-prem, remote, and devices in the cloud, you can see how the challenge of patching can quickly spiral. Often companies use several patching tools and ad-hoc manual workarounds to patch their environments, but adding more tools to a problem only compounds the issue.
To resolve this, we recommend keeping it simple with a single cloud-based solution that can address every endpoint, regardless of its OS or where it resides.
With a cloud-hosted platform, you can look forward to no maintenance or VPN requirements while eliminating unnecessary hardware investments and resources. This frees up your dollars and technicians’ cycles for more high-value work.
Support for Windows, macOS, and Linux can also offer the same seamless experience for all OS types. And that enables you to patch all devices in your clients’ environments – from a single pane of glass.
3. Keep an up-to-date inventory of assets
You can’t fix what you can’t see. More and more endpoints are either located on-prem, in the cloud or using cloud services to access data. IT and security teams alike require visibility across their environment to accurately assess their security posture and risk level.
Find tools that promote endpoint visibility and support a single source of truth. The ability to see all of your devices in one dashboard reduces the time spent assessing patch status, validates your security position, and enables accurate reporting to executives and stakeholders.
Other common vulnerabilities you can mitigate
To learn more about other common vulnerabilities and how you might be able to mitigate them, look to our other blogs in this series:
Start your free trial now.
Get started with Automox in no time.
