Perl open () injection prevention

Question

Perl open () injection prevention

I read that the open () command with two arguments is vulnerable to injection, whereas the open () command with three arguments cannot be injected.

SAy I have a directory where all my files have a common prefix i.e. "file", so an example of a filename would be file-SomeSourceCode.txt

What would something like this look like open(FILEHANDLE, "some/random/dir/file-" . $fileextension)

?

where $fileextension

can be any type of "filename" for each message. As far as I understand, it will not be vulnerable to a filename such as | shutdown -r |

which will execute the command on the server.

+3

security perl protection code-injection

Random user 28 oct. 14 at 17:09

source to share

3 answers

I would comment on @ikegami's wonderful post, but I don't have permission.

Another possible payload vector is to run malicious input with = (equal), so a name that has already been hardcoded will be treated as a shell variable.

perl -e'open(my $fh, "file".$ARGV[0])' '=foo echo 0wned >&2 |'

In some cases cgi scripts stop at errors, no error is generated with this payload.

+1

DaniloNC 05 nov. 14 at 12:18

source to share

The easiest vulnerability is when yours $fileextension

suddenly becomes /../../../../../etc/passwd

. Another possibility is for your "some/random/dir/file-" . $fileextension

to point to some existing executable, in which case the append trick | any-command |

will work fine.

0

afenster 28 oct. 14 at 17:17

source to share

ikegami · Accepted Answer · 2014-10-28T17:18:39+0000

open(my $fh, "some/random/dir/file-" . $user_text)

completely vulnerable. Not only wrong injection makes it impossible to open a file named

some/random/dir/file-foo|

it can be used to execute arbitrary commands

$ perl -e'open(my $fh, "file-".$ARGV[0])' ' ; echo 0wned >&2 |'
sh: 1: file-: not found
0wned

Perl open () injection prevention

More articles: