Injection (INJ) Examples
CVE 2007-3572 (Yoggie Pico)
BF Taxonomy
Cause:
Input not checked properly (incomplete blacklist)
Attributes:
Special Element: Shell Metacharacters (back ticks `)
Entry Point: Function Parameter ("param")
Invalid Construct: Command (command within a Ping command)
Consequence:
Add command, leading to arbitrary code execution and
potentially complete host takeover (by adding a Ping command to change the root
password)
BF Description
"Input not checked properly (incomplete blacklist) allows
Shell metacharacters (back ticks `( through a function parameter ("param")
in a CGI script and assembly of a string that is parsed into an invalid
command construct (command within a Ping command), which may be exploited to add
command, leading to arbitrary code execution and potentially
complete host takeover (by adding a Ping command to change the root password)." [2]
This is a shell command injection
CVE Description
"Incomplete blacklist vulnerability in cgi-bin/runDiagnostics.cgi in the web interface on the Yoggie Pico and
Pico Pro allows remote attackers to execute arbitrary commands via shell metacharacters in the param parameter,
as demonstrated by URL encoded "`" (backtick) characters (%60 sequences)." [1]
Analysis
The following analysis is based on information in [1,3,4]. Injecting backticks that are not
sanitized enables adding a shell command in a CGI script. Complete Host takeover is possible by using backtick
to execute changing the file /etc/shadow to include an arbitrary password selected by the attacker. Then the
attacker can use that password to login as root. The Ping command was not expected to include a "command within
a (Ping) command", but the backticks (special elements) result in that unexpected structure.
Source Code
Code With Bug |
Code With Fix |
Source Code Not Available
|
|
Source Code Not Available
|
|
CVE-2008-5817
BF Taxonomy
Cause:
Input not checked properly or input not sanitized properly
Attributes:
Special Element: Query Elements (single quote ' , the word or, and equality sign =)
Entry Point: Data Entry Fields ("username" & "password")
Invalid Construct: Database Query
Consequence:
Authentication loss, admin server access, and
arbitrary code execution
BF Description
"Input not checked properly or input not sanitized properly allows
query elements (single quote ' , the word or, and equality sign =) through data entry
fields ("username" & "password") in a PHP script and assembly of a string that is parsed into an
invalid database query construct, which may be exploited to mask legitimate
SQL
commands, leading to authentication loss,
admin server access, and arbitrary code execution. [2]
CVE Description
"Multiple SQL injection vulnerabilities in index.php in Web Scribble Solutions webClassifieds 2005 allow
remote attackers to execute arbitrary SQL commands via the (1) user and (2) password fields in a sign_in
action." [5]
Analysis
The following analysis is based on information in [5,6,7]. According to [7], ' or ' 1=1 is used to mask password checking and login as admin. [8]
includes an explanation of this type of SQL injection.
Source Code
Code With Bug |
Code With Fix |
Source Code Not Available
|
|
Source Code Not Available
|
|
CVE-2008-5734
BF Taxonomy
Causes:
Input not checked properly (incomplete blacklist) or input not
sanitized properly
Attributes:
Special Element: Scripting Elements ('<','</','>')
Entry Point: Markup Tag (<IMG>) Argument (SRC)
Invalid Construct: Markup (IMG element with <script> ... </script>
in it)
Consequence:
Add commands or credentials compromise for cookie-based
authentication, leading to arbitrary code execution
BF Description
"Input not checked properly (incomplete blacklist) or input not
sanitized properly allows HTML scripting elements ('<','</','>')
through a markup tag (<IMG>) argument (SRC) of a generated
HTML email and assembly of a string that is parsed into an invalid markup
construct (IMG element with <script> ... </script> in it), which may be exploited to
add commands or credentials compromise for cookie-based
authentication, leading to arbitrary code execution." [2]
This is XSS web script or HTML injection.
CVE Description
"Cross-site scripting (XSS) vulnerability in WebMail Pro in IceWarp Software Merak Mail Server 9.3.2 allows
remote attackers to inject arbitrary web script or HTML via an IMG element in an HTML e-mail message." [9]
Analysis
The following analysis is based on information in [9,10,11]. According to [10], one of the several consequences is unauthorized access to cookie-based authentication
credentials.
Source Code
Code With Bug |
Code With Fix |
Source Code Not Available
|
|
Source Code Not Available
|
|
References
[1] The MITRE Corporation, CVE Common Vulnerabilities and Exposures, CVE-2007-3572.
[2] Irena Bojanova, Paul E. Black, Yaacov Yesha, and Yan Wu, The Bugs Framework (BF): A Structured Approach
to Express Bugs, QRS 2016, Vienna, Austria.
[5] The MITRE Corporation, CVE Common Vulnerabilities and Exposures, CVE-2008-5817.
[9] The MITRE Corporation, CVE Common Vulnerabilities and Exposures, CVE-2008-5734.