COMMIX: DETECTING AND EXPLOITING COMMAND INJECTION FLAWS presented at BlackHatEU 2015

by Anastasios Stasinopoulos, Christoforos Ntantogian, Christos Xenakis,

Summary : Command injections are prevalent to any application independently of its operating system that hosts the application or the programming language that the application itself is developed. The impact of command injection attacks ranges from loss of data confidentiality and integrity to unauthorized remote access to the system that hosts the vulnerable application. A prime example of a real, infamous command injection vulnerability that clearly depicts the threats of this type of code injection was the recently discovered Shellshock bug. Despite the prevalence and the high impact of the command injection attacks, little attention has been given by the research community to this type of code injection. In particular, we have observed that although there are many software tools to detect and exploit other types of code injections such as SQL injections or Cross Site Scripting, to the best of our knowledge there is no dedicated and specialized software application that detects and exploits automatically command injection attacks. This talk attempts to fill this gap by proposing an open source tool that automates the process of detecting and exploiting command injection flaws on web applications, named as commix, (COMMand Injection eXploitation). This tool supports a plethora of functionalities, in order to cover several exploitation scenarios. Moreover, Commix is capable of detecting, with a high success rate, whether a web application is vulnerable to command injection attacks. Finally, during the evaluation of the tool, we have detected several 0-day vulnerabilities in applications.
Overall, the contributions of this work are: a) We provide a comprehensive analysis and categorization of command injection attacks; b) We present and analyze our open source tool that automates the process of detecting and exploiting command injection vulnerabilities; c) We will reveal (during our presentation) several 0-day command injection vulnerabilities that Commix detected on various web based applications from home services (embedded devices) to web servers.