Commix: Detecting and Exploiting Command Injection Flaws

Presented at Black Hat Europe 2015, Unknown date/time (Unknown duration)

Command injections are prevalent to any application independently of its operating system that hosts the application or the programming language that the application itself is developed. The impact of command injection attacks ranges from loss of data confidentiality and integrity to unauthorized remote access to the system that hosts the vulnerable application. A prime example of a real, infamous command injection vulnerability that clearly depicts the threats of this type of code injection was the recently discovered Shellshock bug. Despite the prevalence and the high impact of the command injection attacks, little attention has been given by the research community to this type of code injection. In particular, we have observed that although there are many software tools to detect and exploit other types of code injections such as SQL injections or Cross Site Scripting, to the best of our knowledge there is no dedicated and specialized software application that detects and exploits automatically command injection attacks. This talk attempts to fill this gap by proposing an open source tool that automates the process of detecting and exploiting command injection flaws on web applications, named as commix, (COMMand Injection eXploitation). This tool supports a plethora of functionalities, in order to cover several exploitation scenarios. Moreover, Commix is capable of detecting, with a high success rate, whether a web application is vulnerable to command injection attacks. Finally, during the evaluation of the tool, we have detected several 0-day vulnerabilities in applications. Overall, the contributions of this work are: a) We provide a comprehensive analysis and categorization of command injection attacks; b) We present and analyze our open source tool that automates the process of detecting and exploiting command injection vulnerabilities; c) We will reveal (during our presentation) several 0-day command injection vulnerabilities that Commix detected on various web based applications from home services (embedded devices) to web servers.

Presenters:

• Christos Xenakis - Department of Digital Systems, University of Piraeus
  Professor Christos Xenakis received his B.Sc degree in computer science in 1993 and his M.Sc degree in telecommunication and computer networks in 1996, both from the Department of Informatics and Telecommunications, University of Athens, Greece. In 2004, he received his PhD from the University of Athens (Department of Informatics and Telecommunications). From 1998 to 2001, he was with a Greek telecoms system development firm, where he was involved in the design and development of advanced telecommunications subsystems. From 1996 to 2007, he was a member of the Communication Networks Laboratory of the University of Athens. Since 2007, he has been a faculty member of the Department of Digital Systems of the University of Piraeus, Greece, where he is an Associate Professor and member of the System Security Laboratory. He has participated in numerous projects realized in the context of EU Programs (ACTS, ESPRIT, IST, AAL, DGHOME, Marie Curie, Horizon2020) as well as National Programs (Greek). He is the project manager of the ReCRED project funded by Horizon2020 and his research interests are in the field of systems, networks, and applications security.
• Christoforos Ntantogian - Department of Digital Systems, University of Piraeus
  Dr. Christoforos Ntantogian received his B.Sc. degree in Computer Science and Telecommunications in 2004 and his M.Sc. degree in Computer Systems Technology in 2006 both from the Department of Informatics and Telecommunications, University of Athens. In 2009, he received his PhD from the University of Athens (Department of Informatics and Telecommunications). Currently, he is a research associate at the Department of Digital Systems of the University of Piraeus. His research interests are software security, digital forensics, and data analytics.
• Anastasios Stasinopoulos - Department of Digital Systems, University of Piraeus
  Anastasios Stasinopoulos was born in Athens, Greece. He earned his Bachelor of Science (B.Sc) degree in Surveying & Geoinformatics Engineering from Technological Institution of Athens (2012) and his Masters of Science (M.Sc.) degree in Security of Digital Systems from the Department of Digital Systems of University of Piraeus (2014). Currently, Anastasios is a PhD candidate at the same department (Department of Digital Systems) under the supervision of Dr. Christos Xenakis. He is a member of the Systems Security Laboratory and his research interests are focused on the field of vulnerability assessment, exploit development, penetration testing, web application security, and web application source code auditing. Over the past years, he has worked as a freelance security researcher and as a penetration tester.

Links:

• https://www.blackhat.com/eu-15/briefings.html#commix-detecting-and-exploiting-command-injection-flaws
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2015/Videos/Commix - Detecting and Exploiting Command Injection Flaws.mp4
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2015/Videos/Commix - Detecting and Exploiting Command Injection Flaws.srt (subtitles)
• https://www.youtube.com/watch?v=8U88YvLMYQo
• https://www.blackhat.com/docs/eu-15/materials/eu-15-Stasinopoulos-Commix-Detecting-And-Exploiting-Command-Injection-Flaws.pdf
• https://www.blackhat.com/docs/eu-15/materials/eu-15-Stasinopoulos-Commix-Detecting-And-Exploiting-Command-Injection-Flaws-wp.pdf

Similar Presentations:

• AppSec USA 2017 / Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
• VB2019 / Catch me if you can: detection of injection exploitation by validating query and API integrity
• Black Hat USA 2011 / WORKSHOP - The Art of Exploiting Lesser Known Injection Flaws