CAPEC-15 Detail

CAPEC-15

Name

Command Delimiters

Likihood attacks

High

Typical Severity

High

Status

Draft

Published

2014-06-23
00h00 +00:00

Modified

2021-06-24
00h00 +00:00

Official links

CAPEC Mitre.org

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Notifications manage

List of Notifications

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CAPEC ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Descriptions CAPEC

An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.

Informations CAPEC

Execution Flow

1) Explore

[Assess Target Runtime Environment] In situations where the runtime environment is not implicitly known, the attacker makes connections to the target system and tries to determine the system's runtime environment. Knowing the environment is vital to choosing the correct delimiters.

Technique

Port mapping using network connection-based software (e.g., nmap, nessus, etc.)
Port mapping by exploring the operating system (netstat, sockstat, etc.)
TCP/IP Fingerprinting
Induce errors to find informative error messages

2) Explore

[Survey the Application] The attacker surveys the target application, possibly as a valid and authenticated user

Technique

Spidering web sites for all available links
Inventory all application inputs

3) Experiment

[Attempt delimiters in inputs] The attacker systematically attempts variations of delimiters on known inputs, observing the application's response each time.

Technique

Inject command delimiters using network packet injection tools (netcat, nemesis, etc.)
Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.)
Enter command delimiters directly in input fields.

4) Exploit

[Use malicious command delimiters] The attacker uses combinations of payload and carefully placed command delimiters to attack the software.

Prerequisites

Software's input validation or filtering must not detect and block presence of additional malicious command.

Skills Required

The attacker has to identify injection vector, identify the specific commands, and optionally collect the output, i.e. from an interactive session.

Resources Required

Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.

Mitigations

Design: Perform allowlist validation against a positive specification for command length, type, and parameters.
Design: Limit program privileges, so if commands circumvent program input validation or filter routines then commands do not running under a privileged account
Implementation: Perform input validation for all remote content.
Implementation: Use type conversions such as JDBC prepared statements.

Related Weaknesses

CWE-ID	Weakness Name
CWE-146	Improper Neutralization of Expression/Command Delimiters The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.
CWE-77	Improper Neutralization of Special Elements used in a Command ('Command Injection') The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-184	Incomplete List of Disallowed Inputs The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
CWE-78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-185	Incorrect Regular Expression The product specifies a regular expression in a way that causes data to be improperly matched or compared.
CWE-93	Improper Neutralization of CRLF Sequences ('CRLF Injection') The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
CWE-140	Improper Neutralization of Delimiters The product does not neutralize or incorrectly neutralizes delimiters.
CWE-157	Failure to Sanitize Paired Delimiters The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.
CWE-138	Improper Neutralization of Special Elements The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.
CWE-154	Improper Neutralization of Variable Name Delimiters The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as variable name delimiters when they are sent to a downstream component.
CWE-697	Incorrect Comparison The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

References

REF-1

Exploiting Software: How to Break Code
G. Hoglund, G. McGraw.

Submission

Name	Organization	Date	Date release
CAPEC Content Team	The MITRE Corporation	2014-06-23 +00:00

Modifications

Name	Organization	Date	Comment
CAPEC Content Team	The MITRE Corporation	2019-09-30 +00:00	Updated Related_Attack_Patterns
CAPEC Content Team	The MITRE Corporation	2020-07-30 +00:00	Updated Description, Mitigations
CAPEC Content Team	The MITRE Corporation	2021-06-24 +00:00	Updated Related_Weaknesses