OS Command Injection in COBOL

Play COBOL Labs on this vulnerability with SecureFlag!

Vulnerable example

The COBOL run-time system provides the subroutine “SYSTEM” to invoke external system commands.

Using untrusted input as part of the shell command may introduce a Command Injection vulnerability.

STRING '/bin/echo ' USER-PROVIDED-INPUT INTO CMDLINE
CALL 'SYSTEM' USING CMDLINE

Prevention

Make sure to check or sanitize the user input accordingly before using it to build a system command.

Reference

Mitre - CWE-78: Improper Neutralization of Special Elements used in an OS Command

OWASP - Command Injection