Security Bsides Las Vegas 2024

A Quick Story Of Security Pitfalls With Exec Commands In Software Integrations
2024-08-06 , Firenze

When building software integrations, developers face important decisions that are influenced by time, budget, and the technologies they know and sometimes these decisions can lead to security vulnerabilities. This talk will look into the reasons developers might choose to run other programs directly from their code, rather than using libraries, SDKs or external APIs, and the security risks this choice can bring.

We will explore command injection attacks, a well-known security issue that remains a major threat. These attacks happen when our code directly runs other programs, leading to potential security breaches. Our discussion will cover the basic principles of how programs interact with each other and the tools we can use to understand these interactions.

By examining a real case of command injection vulnerability I found (CVE-2023-39059) in a popular open-source project. We will learn the methods, tools and techniques for finding and exploiting such vulnerabilities.

Finally, we will talk about ways to detect and prevent these kinds of attacks. We’ll discuss how to spot these vulnerabilities and the steps we can take to protect our software.


When building software integrations, developers face important decisions that are influenced by time, budget, and the technologies they know and sometimes these decisions can lead to security vulnerabilities. This talk will look into the reasons developers might choose to run other programs directly from their code, rather than using libraries, SDKs or external APIs, and the security risks this choice can bring.

We will explore command injection attacks, a well-known security issue that remains a major threat. These attacks happen when our code directly runs other programs, leading to potential security breaches. Our discussion will cover the basic principles of how programs interact with each other and the tools we can use to understand these interactions.

By examining a real case of command injection vulnerability I found (CVE-2023-39059) in a popular open-source project. We will learn the methods, tools and techniques for finding and exploiting such vulnerabilities.

Finally, we will talk about ways to detect and prevent these kinds of attacks. We’ll discuss how to spot these vulnerabilities and the steps we can take to protect our software.

Lenin Alevski is a Full Stack Engineer and generalist with a lot of passion for Information Security. Lenin specializes in building and maintaining Distributed Systems, Application Security and Cloud Security in general. Lenin loves to play CTFs, contributing to open-source and writing about security and privacy on his personal blog.

https://www.alevsk.com

This speaker also appears in: