Dark Mode
Capec-15 Detail
Command Delimiters
Standard Software Likelihood: High Typical Severity: High
Parents: 137
Children: 460
Threats: T290
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
Not present
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-15 | capec | https://capec.mitre.org/data/definitions/15.html | |
| CWE-146 | cwe | http://cwe.mitre.org/data/definitions/146.html | |
| CWE-77 | cwe | http://cwe.mitre.org/data/definitions/77.html | |
| CWE-184 | cwe | http://cwe.mitre.org/data/definitions/184.html | |
| CWE-78 | cwe | http://cwe.mitre.org/data/definitions/78.html | |
| CWE-185 | cwe | http://cwe.mitre.org/data/definitions/185.html | |
| CWE-93 | cwe | http://cwe.mitre.org/data/definitions/93.html | |
| CWE-140 | cwe | http://cwe.mitre.org/data/definitions/140.html | |
| CWE-157 | cwe | http://cwe.mitre.org/data/definitions/157.html | |
| CWE-138 | cwe | http://cwe.mitre.org/data/definitions/138.html | |
| CWE-154 | cwe | http://cwe.mitre.org/data/definitions/154.html | |
| CWE-697 | cwe | http://cwe.mitre.org/data/definitions/697.html | |
| REF-1 | reference_from_CAPEC | G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley |
Explore
-
Assess Target Runtime Environment: In situations where the runtime environment is not implicitly known, the attacker makes connections to the target system and tries to determine the system's runtime environment. Knowing the environment is vital to choosing the correct delimiters.
-
Survey the Application: The attacker surveys the target application, possibly as a valid and authenticated user
| Techniques |
|---|
| Port mapping using network connection-based software (e.g., nmap, nessus, etc.) |
| Port mapping by exploring the operating system (netstat, sockstat, etc.) |
| TCP/IP Fingerprinting |
| Induce errors to find informative error messages |
| Techniques |
|---|
| Spidering web sites for all available links |
| Inventory all application inputs |
Experiment
-
Attempt delimiters in inputs: The attacker systematically attempts variations of delimiters on known inputs, observing the application's response each time.
| Techniques |
|---|
| Inject command delimiters using network packet injection tools (netcat, nemesis, etc.) |
| Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.) |
| Enter command delimiters directly in input fields. |
Exploit
-
Use malicious command delimiters: The attacker uses combinations of payload and carefully placed command delimiters to attack the software.
- Software's input validation or filtering must not detect and block presence of additional malicious command.
- Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.
| Medium |
|---|
| The attacker has to identify injection vector, identify the specific commands, and optionally collect the output, i.e. from an interactive session. |
| Integrity | Availability | Confidentiality |
|---|---|---|
| Execute Unauthorized Commands (Run Arbitrary Code) | Execute Unauthorized Commands (Run Arbitrary Code) | Execute Unauthorized Commands (Run Arbitrary Code) |
| Read Data |
- By appending special characters, such as a semicolon or other commands that are executed by the target process, the attacker is able to execute a wide variety of malicious commands in the target process space, utilizing the target's inherited permissions, against any resource the host has access to. The possibilities are vast including injection attacks against RDBMS (SQL Injection), directory servers (LDAP Injection), XML documents (XPath and XQuery Injection), and command line shells. In many injection attacks, the results are converted back to strings and displayed to the client process such as a web browser without tripping any security alarms, so the network firewall does not log any out of the ordinary behavior. LDAP servers house critical identity assets such as user, profile, password, and group information that is used to authenticate and authorize users. An attacker that can query the directory at will and execute custom commands against the directory server is literally working with the keys to the kingdom in many enterprises. When user, organizational units, and other directory objects are queried by building the query string directly from user input with no validation, or other conversion, then the attacker has the ability to use any LDAP commands to query, filter, list, and crawl against the LDAP server directly in the same manner as SQL injection gives the ability to the attacker to run SQL commands on the database.