This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke OS commands, leading to false negatives - especially if the API/library code is not available for analysis.
CWE-78 Base Stable
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
OS Command Injection occurs when an application builds a system command using untrusted, external input without properly sanitizing it. This allows an attacker to inject and execute arbitrary…
Définition
What is CWE-78?
OS Command Injection occurs when an application builds a system command using untrusted, external input without properly sanitizing it. This allows an attacker to inject and execute arbitrary commands on the underlying operating system.
This vulnerability is particularly dangerous in web applications or privileged software. In a web context, an attacker can exploit it without direct system access. If the vulnerable process runs with high privileges, the attacker can execute commands with those same elevated permissions, bypassing normal security controls and significantly increasing potential damage.
There are two primary scenarios. First, an application executes a fixed command but unsafely incorporates user input as an argument. An attacker can inject command separators (like ; or &) to chain malicious commands. Second, and more severe, the application directly uses user input to select and execute the entire command. This often happens when developer controls are bypassed, granting the attacker full control over what command is run.
Impact réel
Real-world CVEs caused by CWE-78
-
Platform for handling LLMs has OS command injection during training due to insecure use of the "Popen" function
-
OS command injection in Wi-Fi router, as exploited in the wild per CISA KEV.
-
Template functionality in network configuration management tool allows OS command injection, as exploited in the wild per CISA KEV.
-
Chain: improper input validation (CWE-20) in username parameter, leading to OS command injection (CWE-78), as exploited in the wild per CISA KEV.
-
Canonical example of OS command injection. CGI program does not neutralize "|" metacharacter when invoking a phonebook program.
-
Language interpreter's mail function accepts another argument that is concatenated to a string used in a dangerous popen() call. Since there is no neutralization of this argument, both OS Command Injection (CWE-78) and Argument Injection (CWE-88) are possible.
-
Web server allows command execution using "|" (pipe) character.
-
FTP client does not filter "|" from filenames returned by the server, allowing for OS command injection.
Comment les attaquants l'exploitent
Parcours de l'attaquant étape par étape
- 1
This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection.
- 2
The $userName variable is not checked for malicious input. An attacker could set the $userName variable to an arbitrary OS command such as:
- 3
Which would result in $command being:
- 4
Since the semi-colon is a command separator in Unix, the OS would first execute the ls command, then the rm command, deleting the entire file system.
- 5
Also note that this example code is vulnerable to Path Traversal (CWE-22) and Untrusted Search Path (CWE-426) attacks.
Exemple de code vulnérable
Vulnerable PHP
This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection.
$userName = $_POST["user"];
$command = 'ls -l /home/' . $userName;
system($command); Charge utile de l'attaquant
The $userName variable is not checked for malicious input. An attacker could set the $userName variable to an arbitrary OS command such as:
;rm -rf / Exemple de code sécurisé
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Liste de contrôle de prévention
How to prevent CWE-78
- Architecture and Design If at all possible, use library calls rather than external processes to recreate the desired functionality.
- Architecture and Design / Operation Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
- Architecture and Design For any data that will be used to generate a command to be executed, keep as much of that data out of external control as possible. For example, in web applications, this may require storing the data locally in the session's state instead of sending it out to the client in a hidden form field.
- Architecture and Design For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
- Architecture and Design Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.
- Implementation While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).
- Implementation If the program to be executed allows arguments to be specified within an input file or from standard input, then consider using that mode to pass arguments instead of the command line.
- Architecture and Design If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Some languages offer multiple functions that can be used to invoke commands. Where possible, identify any function that invokes a command shell using a single string, and replace it with a function that requires individual arguments. These functions typically perform appropriate quoting and filtering of arguments. For example, in C, the system() function accepts a string that contains the entire command to be executed, whereas execl(), execve(), and others require an array of strings, one for each argument. In Windows, CreateProcess() only accepts one command at a time. In Perl, if system() is provided with an array of arguments, then it will quote each of the arguments.
Signaux de détection
How to detect CWE-78
This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Web Application Scanner Web Services Scanner Database Scanners
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Fuzz Tester Framework-based Fuzzer
Plexicus détecte automatiquement CWE-78 et ouvre une PR de correction en moins de 60 secondes.
Codex Remedium analyse chaque commit, identifie cette faiblesse précise et livre une pull request prête à être relue avec le correctif. Pas de tickets. Pas de transferts.
Questions fréquentes Qu'est-ce que CWE-78 ?
Quelle est la gravité de CWE-78 ?
Quels langages ou plateformes sont affectés par CWE-78 ?
Comment puis-je prévenir CWE-78 ?
Comment Plexicus détecte et corrige CWE-78 ?
Où puis-je en savoir plus sur CWE-78 ?
Frequently asked questions
Qu'est-ce que CWE-78 ?
OS Command Injection occurs when an application builds a system command using untrusted, external input without properly sanitizing it. This allows an attacker to inject and execute arbitrary commands on the underlying operating system.
Quelle est la gravité de CWE-78 ?
MITRE évalue la probabilité d'exploitation comme Élevée — cette faiblesse est activement exploitée et doit être priorisée pour la remédiation.
Quels langages ou plateformes sont affectés par CWE-78 ?
MITRE lists the following affected platforms: AI/ML.
Comment puis-je prévenir CWE-78 ?
If at all possible, use library calls rather than external processes to recreate the desired functionality. Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some…
Comment Plexicus détecte et corrige CWE-78 ?
Le moteur SAST de Plexicus reconnaît la signature de flux de données de CWE-78 à chaque commit. Lorsqu'une correspondance est trouvée, notre agent Codex Remedium ouvre une PR de correction avec le code corrigé, les tests et un résumé d'une ligne pour le relecteur.
Où puis-je en savoir plus sur CWE-78 ?
MITRE publie la définition canonique à https://cwe.mitre.org/data/definitions/78.html. Vous pouvez également consulter la documentation OWASP et NIST pour des conseils adjacents.
Faiblesses associées
Weaknesses related to CWE-78
CWE-77 Parent
Improper Neutralization of Special Elements used in a Command ('Command Injection')
This vulnerability occurs when an application builds a system command using untrusted user input without properly sanitizing it. An…
CWE-1427 Frère
Improper Neutralization of Input Used for LLM Prompting
This vulnerability occurs when an application builds prompts for a Large Language Model (LLM) using external data, but does so in a way…
CWE-624 Frère
Executable Regular Expression Error
This vulnerability occurs when an application uses a regular expression that can execute code, either because it directly contains…
CWE-88 Frère
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
This vulnerability occurs when an application builds a command string for execution by another component, but fails to properly separate…
CWE-917 Frère
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Expression Language Injection occurs when an application uses untrusted, external input to build an expression language statement—common…
Ressources
Further reading
- MITRE — CWE-78 officiel https://cwe.mitre.org/data/definitions/78.html
- Exploiting Software: How to Break Code https://www.amazon.com/Exploiting-Software-How-Break-Code/dp/0201786958
- Meta-Character Vulnerabilities https://web.archive.org/web/20100714032622/https://www.cs.purdue.edu/homes/cs390s/slides/week09.pdf
- OS Commanding http://projects.webappsec.org/w/page/13246950/OS%20Commanding
- The World Wide Web Security FAQ https://www.w3.org/Security/Faq/wwwsf4.html
- Security Issues in Perl Scripts https://www.cgisecurity.com/lib/sips.html
Prêt quand vous l'êtes
Arrêtez de payer par développeur.
Commencez à fermer la boucle.
Plexicus est l'ASPM natif IA qui scanne, filtre, corrige, penteste et explique — de façon autonome. Développeurs illimités, dépôts illimités, actions IA à usage équitable. Vrai niveau gratuit, €269/mo annuel quand vous êtes prêt.