Vulnerability Development mailing list archives
Re: PERL's -e check
From: Matt Zimmerman <mdz () CSH RIT EDU>
Date: Wed, 27 Dec 2000 23:42:12 -0500
On Tue, Dec 26, 2000 at 04:20:51PM -0500, Joe Testa wrote:
Given the responses I received from people, I now realize that I should have been more clear. I want to know if there is any way to pass shell metacharacters through the $temp_file variable in such a way that would pass the "-e" check but still make it to the open() call. Of course, lets forget that my example uses "<", because this prevents "|" from working. I already tried inserting nulls here and there, but without success.
The problem is that stat(), open() and exec() all use null-terminated strings. So, while you can fool stat() into thinking that a file exists--for example, one represented by the Perl string "/bin/sh\000||/tmp/do_evil|", or some such--when Perl passes the string to open() or exec(), it will get the same string that stat() gets. So you can fool these functions, but in this case it doesn't get you anywhere (that I can see), because you fool all of them. -- - mdz
Current thread:
- PERL's -e check Joe Testa (Dec 26)
- Re: PERL's -e check Adam Prato (Dec 26)
- Re: PERL's -e check Matt Zimmerman (Dec 26)
- Re: PERL's -e check Joe Testa (Dec 26)
- Re: PERL's -e check Matt Zimmerman (Dec 28)
- Re: PERL's -e check Juergen P. Meier (Dec 26)
- Re: PERL's -e check Pavel Kankovsky (Dec 27)