CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
常见后果
影响范围: Confidentiality Integrity Availability Non-Repudiation
技术影响: Execute Unauthorized Code or Commands DoS: Crash, Exit, or Restart Read Files or Directories Modify Files or Directories Read Application Data Modify Application Data Hide Activities
说明: Attackers could execute unauthorized operating system commands, which could then be used to disable the product, or read and modify data for which the attacker does not have permissions to access directly. Since the targeted application is directly executing the commands instead of the attacker, any malicious activities may appear to come from the application or the application's owner.
潜在缓解措施
阶段: Architecture and Design
描述: If at all possible, use library calls rather than external processes to recreate the desired functionality.
阶段: Architecture and Design Operation
策略: Sandbox or Jail
有效性: Limited
阶段: Architecture and Design
策略: Attack Surface Reduction
描述: For any data that will be used to generate a command to be executed, keep as much of that data out of external control as possible. For example, in web applications, this may require storing the data locally in the session's state instead of sending it out to the client in a hidden form field.
阶段: Architecture and Design
描述: For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
阶段: Architecture and Design
策略: Libraries or Frameworks
阶段: Implementation
策略: Output Encoding
描述: While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).
阶段: Implementation
描述: If the program to be executed allows arguments to be specified within an input file or from standard input, then consider using that mode to pass arguments instead of the command line.
阶段: Architecture and Design
策略: Parameterization
阶段: Implementation
策略: Input Validation
阶段: Architecture and Design
策略: Enforcement by Conversion
描述: When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
阶段: Operation
策略: Compilation or Build Hardening
描述: Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
阶段: Operation
策略: Environment Hardening
描述: Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
阶段: Implementation
阶段: Operation
策略: Sandbox or Jail
描述: Use runtime policy enforcement to create an allowlist of allowable commands, then prevent use of any command that does not appear in the allowlist. Technologies such as AppArmor are available to do this.
阶段: Operation
策略: Firewall
描述: Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
有效性: Moderate
阶段: Architecture and Design Operation
策略: Environment Hardening
描述: Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
阶段: Operation Implementation
策略: Environment Hardening
描述: When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.
检测方法
方法: Automated Static Analysis
方法: Automated Dynamic Analysis
This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
有效性: Moderate
方法: Manual Static Analysis
Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.
有效性: High
方法: Automated Static Analysis - Binary or Bytecode
有效性: High
方法: Dynamic Analysis with Automated Results Interpretation
有效性: SOAR Partial
方法: Dynamic Analysis with Manual Results Interpretation
有效性: SOAR Partial
方法: Manual Static Analysis - Source Code
有效性: High
方法: Automated Static Analysis - Source Code
有效性: High
方法: Architecture or Design Review
有效性: High
观察示例
参考: CVE-2024-52803
Platform for handling LLMs has OS command injection during training due to insecure use of the "Popen" function
参考: CVE-2020-10987
OS command injection in Wi-Fi router, as exploited in the wild per CISA KEV.
参考: CVE-2020-10221
Template functionality in network configuration management tool allows OS command injection, as exploited in the wild per CISA KEV.
参考: CVE-2020-9054
Chain: improper input validation (CWE-20) in username parameter, leading to OS command injection (CWE-78), as exploited in the wild per CISA KEV.
参考: CVE-1999-0067
Canonical example of OS command injection. CGI program does not neutralize "|" metacharacter when invoking a phonebook program.
参考: CVE-2001-1246
Language interpreter's mail function accepts another argument that is concatenated to a string used in a dangerous popen() call. Since there is no neutralization of this argument, both OS Command Injection (CWE-78) and Argument Injection (CWE-88) are possible.
参考: CVE-2002-0061
Web server allows command execution using "|" (pipe) character.
参考: CVE-2003-0041
FTP client does not filter "|" from filenames returned by the server, allowing for OS command injection.
参考: CVE-2008-2575
Shell metacharacters in a filename in a ZIP archive
参考: CVE-2002-1898
Shell metacharacters in a telnet:// link are not properly handled when the launching application processes the link.
参考: CVE-2008-4304
OS command injection through environment variable.
参考: CVE-2008-4796
OS command injection through https:// URLs
参考: CVE-2007-3572
Chain: incomplete denylist for OS command injection
参考: CVE-2012-1988
Product allows remote users to execute arbitrary commands by creating a file whose pathname contains shell metacharacters.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | OS Command Injection | - |
| OWASP Top Ten 2007 | A3 | Malicious File Execution | CWE More Specific |
| OWASP Top Ten 2004 | A6 | Injection Flaws | CWE More Specific |
| CERT C Secure Coding | ENV03-C | Sanitize the environment when invoking external programs | - |
| CERT C Secure Coding | ENV33-C | Do not call system() | CWE More Specific |
| CERT C Secure Coding | STR02-C | Sanitize data passed to complex subsystems | - |
| WASC | 31 | OS Commanding | - |
| The CERT Oracle Secure Coding Standard for Java (2011) | IDS07-J | Do not pass untrusted, unsanitized data to the Runtime.exec() method | - |
| Software Fault Patterns | SFP24 | Tainted input to command | - |
| OMG ASCSM | ASCSM-CWE-78 | - |
关键信息
CWE ID: CWE-78
抽象级别: Base
结构: Simple
状态: Stable
利用可能性: High