Case Study on Command Injection through Unsanitized User Input

[Sampreeth006]

Description:
Command injection happens when a program constructs a system command string from untrusted input without properly cleaning or checking it. An attacker may add more commands or arguments that the system runs with the same permissions as the application that is susceptible.

Proposal:
I propose a case study on Command Injection via Unsanitized User Input. This case study describe the process that leads to this problem when user input is incorrectly concatenated into shell or system instructions, demonstrate with few examples of working with Python, and discuss the impact of file manipulation, privilege escalation.

References:
1.⁠ ⁠https://owasp.org/www-community/attacks/Command_Injection
2.⁠ ⁠https://portswigger.net/web-security/os-command-injection
3.https://cwe.mitre.org/data/definitions/78.html
4. https://dl.acm.org/doi/10.1145/1111037.1111070#:~:text=References43-,Abstract,forms%20of%20command%20injection%20attacks.

[abuttner]

Important weakness type to cover. Do you have a specific vulnerability that you will be looking at? What is the CVE id for the vulnerability that you will be basing the case study on?

[Sampreeth006]

CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Source: https://cwe.mitre.org/data/definitions/78.html

Specific Vulnerability and CVE Reference:
This case study will be based on CVE-2019-1821, a command injection vulnerability in Cisco Prime Infrastructure and Evolved Programmable Network Manager.
In this scenario, a poor validation of user supplied an input which let remote attackers run any command they wanted with root capabilities on the operating system underneath. This example demonstrate it very obvious that building commands in an unsafe way may lead to serious security problems.