Cybersecurity
Command injection in java: 80% proven that it is 100% impossible (sometimes)
I was reading Alex Smolen’s blog the other day and ran across the post “Command Injection Impossible in Java and .NET?” Interesting stuff! In an effort to avoid doing work I should actually be doing, I decided to look into it a bit more.<\/p>\r\n\r\n
So I put together a tiny little program to try a bunch of different permutations to try and test this out. This is by no means an exhaustive fuzzing but I did run a number of command lines through Java that should have resulted in multiple commands being executed (cut and paste them from the Java System.out output). I zipped up the code and binaries and uploaded it here: http:\/\/www.dancornell.com\/files\/JavaCommandInjection_v1_1.zip<\/p>\r\n\r\n
Update: The zip file is no longer accessible, but you can still see the implications of the JVM using safe "execve" calls here: https:\/\/man7.org\/linux\/man-pages\/man2\/execve.2.html <\/a> It shows that the Java String sent to Runtime.getRuntime().exec(command) gets split on ' ', the first resulting String is the executable that gets run and the remaining Strings in the array are passed along as the arguments so even if they contain control characters or other commands those are just sent to the executable as the argv parameters.<\/em><\/p>\r\n\r\n
\r\n.\/intended ; .\/exploit\r\n.\/intended : .\/exploit\r\n.\/intended",".\/exploit\r\n.\/intended && .\/exploit\r\n.\/intended & .\/exploit\r\n.\/intended ! .\/exploit\r\n.\/intended >> .\/exploit\r\n.\/intended << .\/exploit\r\n.\/intended > .\/exploit\r\n.\/intended < .\/exploit\r\n.\/intended :: .\/exploit\r\n.\/intended ;; .\/exploit\r\n.\/intended ;: .\/exploit\r\n.\/intended :; .\/exploit\r\n.\/intended","",".\/exploit\r\n<\/code><\/pre>\r\n\r\n\r\n