ISSessions CTF 2021 Trend - No Command Only Ping

· 2 min read
ctf writeup snort command-injection

Detecting command injection in a Java Tomcat application that uses exec() for ping, and writing Snort rules to catch it.

TrendMicro - No Command Only Ping

Pinging hosts by calling exec? That’s a great idea!

Going into this, I had a feeling that it was going to be a command injection. Turns out yet again more accurate labeling by John/Thracky.

Solution

The application was a Tomcat/Java EE WAR package. This is just a zip, so you can extract it pretty easily.

Once extracted, you want to find the .class file and toss this into a decompiler.

Here, you can find the vulnerability pretty clearly:

String[] cmd = { "/bin/sh", "-c", "ping -c 4 " + host };
Process process = Runtime.getRuntime().exec(cmd);

Well, that’s a pretty cut and dry command injection.

Lets first list what we know about SH scripts specifically, and what IP addresses/hostnames are supposed to be formatted as:

  • You can chain commands in a variety of ways, using special characters.
  • IP Addresses (both v4 and v6) have delimiters that can include both . and :. IPv6 can use both.
  • Hostnames can use periods, A-z, 0-9, and hyphens.

Incorporating all of these, we can create a regex to match. [A-z0-9.]+[^A-z-.=: \d][\\\^]?/i. This matches valid inputs like:

  • subdomain.domain.tld
  • 1.1.1.1
  • fe80::0
  • domain.tld

But it will not match against any special character except: - . = : (space). These are the valid delimiters for IP and hostnames. Any other can be considered an injection attempt.

I highly recommend using regexr.com for writing regex. Immensely useful.

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"pingpong vulnerability"; flow:to_server; content:"POST"; http_method; content:"/pingpong/Ping"; http_uri; content:"host="; pcre:"/host=[A-z0-9.]+[^A-z-.=: \d][\\\^]?/i"; classtype:web-application-attack; sid:1234560002;)
← Back to all posts