Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Security Best Practice: Preventing Command Injection Attacks Using Web Intelligence Command Injection Protection

Attack ID: CPSA-2004-07
Publish Date:
Last Update:
Category: Security Best Practices
Vulnerable Systems: Web applications
Source: SmartDefense Research Center
Description:

Check Point Web Intelligence included with VPN-1 NG with Application Intelligence R55W and Connectra provides a protection against Command Injection attacks. The protection looks for system commands in forms input and in URLs. Command injection attacks allow a remote attacker to insert operating system commands disguised as a URL or as form input to a Web server. A successful system command execution can provide a remote attacker with elevated privileges to access a Web server, which may result in defacement of the Web site, data theft, or may even lead to execution of arbitrary code.
Severity:
Details:

Web Intelligence looks for the presence of system commands in Web forms and URLs sent to a protected server. The protection looks for several categories of commands:

  • Distinct system commands: Strings that are unique to system commands, not likely to appear in common language, and often used in command injection, e.g., "chown", "cscript", "regsvr32", etc.
  • Non-distinct system commands: strings that may appear in common language, e.g., "expand", "print", "convert", etc.
  • Special system characters (e.g.,;[ ]<>& ). 
Attack Detection:

Using SmartView Tracker, users of VPN-1 NG with Application Intelligence R55W and Connectra with Web Intelligence license who have applied the solution outlined below, will be able to identify this attack by the following logging entries:

Attack Name: Command Injection
Information: reason: WSE0050001 command injection detected in URL: 'ipconfig'

Attack Name: Command Injection
Information: reason: WSE0050002 command injection detected in request: 'gcc'

Solution:

To activate the protection (R55W, R60):

1. On the Web Intelligence navigation tree, select Application Layer > Command Injection. The Command Injection window appears.

2. Set the Protection Scope and apply security level. If you have selected Apply to selected web servers,  click the Apply button to apply the same level of protection to every selected Web server.

Three Security Levels are suggested:

Protection Level

What the Protection Means

Low (default)

Rejects forms that contain special Shell characters and distinct Shell commands in the HTTP Request body and in the Path and Query sections of the URL.

Medium

Same as Low, plus it rejects non-distinct shell commands in the HTTP Request body and in the Path and Query sections of the URL.   

High

Same as Low and Medium, plus it rejects all these commands in form variable names.  


To activate the protection (Connectra):

1. On the navigation tree, click Security > Web Intelligence.



2. The Web Intelligence page appears. The Application Layer Protection pane is shown below:


3. In the Application Layer Protection, enable Command Injection. Select a Security Level from the Security Level drop-down box.


 
Industry Reference:
Additional Information: Secunia ID 11124
Secunia ID 13190
CPAI-2004-69