CVE-2014-3883 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Severity

68%

Complexity

86%

Confidentiality

106%

Usermin before 1.600 allows remote attackers to execute arbitrary operating-system commands via unspecified vectors related to a user action.

Usermin before 1.600 allows remote attackers to execute arbitrary operating-system commands via unspecified vectors related to a user action.

CVSS 2.0 Base Score 6.8. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P).

Demo Examples

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection.


               
system($command);

The $userName variable is not checked for malicious input. An attacker could set the $userName variable to an arbitrary OS command such as:


               
;rm -rf /

Which would result in $command being:


               
ls -l /home/;rm -rf /

Since the semi-colon is a command separator in Unix, the OS would first execute the ls command, then the rm command, deleting the entire file system.

Also note that this example code is vulnerable to Path Traversal (CWE-22) and Untrusted Search Path (CWE-426) attacks.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

This example is a web application that intends to perform a DNS lookup of a user-supplied domain name. It is subject to the first variant of OS command injection.


               
}
close($fh);
print "<br>\n";

Suppose an attacker provides a domain name like this:


               
cwe.mitre.org%20%3B%20/bin/ls%20-l

The "%3B" sequence decodes to the ";" character, and the %20 decodes to a space. The open() statement would then process a string like this:


               
/path/to/nslookup cwe.mitre.org ; /bin/ls -l

As a result, the attacker executes the "/bin/ls -l" command and gets a list of all the files in the program's working directory. The input could be replaced with much more dangerous commands, such as installing a malicious program on the server.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

The example below reads the name of a shell script to execute from the system properties. It is subject to the second variant of OS command injection.


               
System.exec(script);

If an attacker has control over this property, then they could modify the property to point to a dangerous program.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

In the example below, a method is used to transform geographic coordinates from latitude and longitude format to UTM format. The method gets the input coordinates from a user through a HTTP request and executes a program local to the application server that performs the transformation. The method passes the latitude and longitude coordinates as a command-line option to the external program and will perform some processing to retrieve the results of the transformation and return the resulting UTM coordinates.


               
}
return utmCoords;
// process results of coordinate transform// ...

However, the method does not verify that the contents of the coordinates input parameter includes only correctly-formatted latitude and longitude coordinates. If the input coordinates were not validated prior to the call to this method, a malicious user could execute another program local to the application server by appending '&' followed by the command for another program to the end of the coordinate string. The '&' instructs the Windows operating system to execute another program.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

The following code is from an administrative web application designed to allow users to kick off a backup of an Oracle database using a batch-file wrapper around the rman utility and then run a cleanup.bat script to delete some temporary files. The script rmanDB.bat accepts a single command line parameter, which specifies what type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.


               
...
"&&c:\\utl\\cleanup.bat\"")

The problem here is that the program does not do any validation on the backuptype parameter read from the user. Typically the Runtime.exec() function will not execute multiple commands, but in this case the program first runs the cmd.exe shell in order to run multiple commands with a single call to Runtime.exec(). Once the shell is invoked, it will happily execute multiple commands separated by two ampersands. If an attacker passes a string of the form "& del c:\\dbms\\*.*", then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.

Overview

Type

Webmin Usermin

First reported 10 years ago

2014-06-21 15:55:00

Last updated 10 years ago

2014-06-23 17:19:00

Affected Software

Webmin Usermin 0.4

0.4

Webmin Usermin 0.5

0.5

Webmin Usermin 0.6

0.6

Webmin Usermin 0.7

0.7

Webmin Usermin 0.80

0.80

Webmin Usermin 0.90

0.90

Webmin Usermin 0.910

0.910

Webmin Usermin 0.929

0.929

Webmin Usermin 0.930

0.930

Webmin Usermin 0.940

0.940

Webmin Usermin 0.950

0.950

Webmin Usermin 0.960

0.960

Webmin Usermin 0.970

0.970

Webmin Usermin 0.980

0.980

Webmin Usermin 0.990

0.990

Webmin Usermin 1.000

1.000

Webmin Usermin 1.010

1.010

Webmin Usermin 1.020

1.020

Webmin Usermin 1.030

1.030

Webmin Usermin 1.040

1.040

Webmin Usermin 1.050

1.050

Webmin Usermin 1.051

1.051

Webmin Usermin 1.060

1.060

Webmin Usermin 1.070

1.070

Webmin Usermin 1.080

1.080

Webmin Usermin 1.090

1.090

Webmin Usermin 1.100

1.100

Webmin Usermin 1.110

1.110

Webmin Usermin 1.120

1.120

Webmin Usermin 1.130

1.130

Webmin Usermin 1.140

1.140

Webmin Usermin 1.150

1.150

Webmin Usermin 1.160

1.160

Webmin Usermin 1.170

1.170

Webmin Usermin 1.180

1.180

Webmin Usermin 1.190

1.190

Webmin Usermin 1.200

1.200

Webmin Usermin 1.210

1.210

Webmin Usermin 1.220

1.220

Webmin Usermin 1.230

1.230

Webmin Usermin 1.240

1.240

Webmin Usermin 1.250

1.250

Webmin Usermin 1.260

1.260

Webmin Usermin 1.270

1.270

Webmin Usermin 1.280

1.280

Webmin Usermin 1.290

1.290

Webmin Usermin 1.300

1.300

Webmin Usermin 1.310

1.310

Webmin Usermin 1.320

1.320

Webmin Usermin 1.330

1.330

Webmin Usermin 1.340

1.340

Webmin Usermin 1.350

1.350

Webmin Usermin 1.360

1.360

Webmin Usermin 1.370

1.370

Webmin Usermin 1.380

1.380

Webmin Usermin 1.390

1.390

Webmin Usermin 1.400

1.400

Webmin Usermin 1.410

1.410

Webmin Usermin 1.420

1.420

Webmin Usermin 1.430

1.430

Webmin Usermin 1.440

1.440

Webmin Usermin 1.450

1.450

Webmin Usermin 1.460

1.460

Webmin Usermin 1.470

1.470

Webmin Usermin 1.480

1.480

Webmin Usermin 1.490

1.490

Webmin Usermin 1.500

1.500

Webmin Usermin 1.510

1.510

Webmin Usermin 1.520

1.520

Webmin Usermin 1.530

1.530

Webmin Usermin 1.540

1.540

Webmin Usermin 1.550

1.550

Webmin Usermin 1.560

1.560

Webmin Usermin 1.570

1.570

Webmin Usermin 1.580

1.580

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.