Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CAPEC-15:Command Delimiters
Attack Pattern ID:15
Version:v3.9
Attack Pattern Name:Command Delimiters
Abstraction:Standard
Status:Draft
Likelihood of Attack:High
Typical Severity:High
DetailsContent HistoryRelated WeaknessesReports
▼Description
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
▼Extended Description
▼Alternate Terms
▼Relationships
NatureTypeIDName
ChildOfM137Parameter Injection
ParentOfD460HTTP Parameter Pollution (HPP)
Nature: ChildOf
Type: Meta
ID: 137
Name: Parameter Injection
Nature: ParentOf
Type: Detailed
ID: 460
Name: HTTP Parameter Pollution (HPP)
▼Execution Flow
Explore
1.

Assess Target Runtime Environment

In situations where the runtime environment is not implicitly known, the attacker makes connections to the target system and tries to determine the system's runtime environment. Knowing the environment is vital to choosing the correct delimiters.

Technique
Port mapping using network connection-based software (e.g., nmap, nessus, etc.)
Port mapping by exploring the operating system (netstat, sockstat, etc.)
TCP/IP Fingerprinting
Induce errors to find informative error messages
2.

Survey the Application

The attacker surveys the target application, possibly as a valid and authenticated user

Technique
Spidering web sites for all available links
Inventory all application inputs
Experiment
1.

Attempt delimiters in inputs

The attacker systematically attempts variations of delimiters on known inputs, observing the application's response each time.

Technique
Inject command delimiters using network packet injection tools (netcat, nemesis, etc.)
Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.)
Enter command delimiters directly in input fields.
Exploit
1.

Use malicious command delimiters

The attacker uses combinations of payload and carefully placed command delimiters to attack the software.

Technique
▼Prerequisites
Software's input validation or filtering must not detect and block presence of additional malicious command.
▼Skills Required
Medium

The attacker has to identify injection vector, identify the specific commands, and optionally collect the output, i.e. from an interactive session.

▼Resources Required
Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.
▼Indicators
▼Consequences
ScopeLikelihoodImpactNote
ConfidentialityIntegrityAvailabilityN/AExecute Unauthorized CommandsRun Arbitrary Code
ConfidentialityN/ARead DataN/A
Scope: Confidentiality, Integrity, Availability
Likelihood: N/A
Impact: Execute Unauthorized Commands
Note: Run Arbitrary Code
Scope: Confidentiality
Likelihood: N/A
Impact: Read Data
Note: N/A
▼Mitigations
Design: Perform allowlist validation against a positive specification for command length, type, and parameters.
Design: Limit program privileges, so if commands circumvent program input validation or filter routines then commands do not running under a privileged account
Implementation: Perform input validation for all remote content.
Implementation: Use type conversions such as JDBC prepared statements.
▼Example Instances
▼Related Weaknesses
IDName
CWE-138Improper Neutralization of Special Elements
CWE-140Improper Neutralization of Delimiters
CWE-154Improper Neutralization of Variable Name Delimiters
CWE-146Improper Neutralization of Expression/Command Delimiters
CWE-157Failure to Sanitize Paired Delimiters
CWE-184Incomplete List of Disallowed Inputs
CWE-185Incorrect Regular Expression
CWE-697Incorrect Comparison
CWE-77Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-93Improper Neutralization of CRLF Sequences ('CRLF Injection')
ID: CWE-138
Name: Improper Neutralization of Special Elements
ID: CWE-140
Name: Improper Neutralization of Delimiters
ID: CWE-154
Name: Improper Neutralization of Variable Name Delimiters
ID: CWE-146
Name: Improper Neutralization of Expression/Command Delimiters
ID: CWE-157
Name: Failure to Sanitize Paired Delimiters
ID: CWE-184
Name: Incomplete List of Disallowed Inputs
ID: CWE-185
Name: Incorrect Regular Expression
ID: CWE-697
Name: Incorrect Comparison
ID: CWE-77
Name: Improper Neutralization of Special Elements used in a Command ('Command Injection')
ID: CWE-78
Name: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
ID: CWE-93
Name: Improper Neutralization of CRLF Sequences ('CRLF Injection')
▼Taxonomy Mappings
Taxonomy NameEntry IDEntry Name
▼Notes
▼References
Reference ID: REF-1
Title: Exploiting Software: How to Break Code
Author: G. Hoglund, G. McGraw
Publication:
Publisher:Addison-Wesley
Edition:
URL:
URL Date:
Day:N/A
Month:02
Year:2004
Details not found