Code Execution Through Filenames in Uploads
I was up well before I should have been this morning and I was thinking more about file uploads. Remember back in the day when you inadvertently named a file with a dash or a slash in it? Oh, the joys of trying to clean up files on *Nix systems that had a slash in them. We learned our lesson and moved on with life. Now we are all grown and have a different reason to create files with bad chars in them. This time we want to exploit a file upload. So I created a script that simply look for and opened a file for reading in Perl:
#!/usr/bin/perlopendir(DIR, ".") || die "Can't open dir: $!\n";
@files = grep { /ls/ && -f "./$_" } readdir(DIR);
foreach $file (@files) {
open (FILE, "$file");
print while (<FILE>);
close FILE;
}
closedir DIR;
Now here is me showing what is inside the file I named “|ls -al”, then showing what is inside the directory, and lastly, running the code:
[haX0r]$ cat \|ls\ -al
This information is within the file |ls -al
[haX0r]$ ls -al
total 08
drwxr-xr-x 2 haX0r haX0r 512 Jun 19 15:43 .
drwxr-xr-x 37 haX0r haX0r 4096 Jun 18 12:59 ..
-rw-r–r– 1 haX0r haX0r 247 Jun 19 15:46 test.pl
-rw-r–r– 1 haX0r haX0r 0 Jun 19 15:43 |ls -al
[haX0r]$ perl test.pl
[haX0r]$ total 14
drwxr-xr-x 2 haX0r haX0r 512 Jun 19 15:43 .
drwxr-xr-x 37 haX0r haX0r 4096 Jun 18 12:59 ..
-rw-r–r– 1 haX0r haX0r 247 Jun 19 15:46 test.pl
-rw-r–r– 1 haX0r haX0r 0 Jun 19 15:43 |ls -al
Immediately after running the program it ran the filename instead of opening the file. So herein lies another interesting place to use that arbitrary image name creation program I built (I guess it’s not just for XSS afterall - but actual code execution on the host machine). Here would be an example. Encoding spaces might cause problems but I’m sure we can work around that in most cases. Pretty trivial and pretty nasty.
June 20th, 2007 at 3:21 pm
This is a well known ‘bug’. In fact, `perldoc -f open` has a warning about this. open(FILE, “
June 20th, 2007 at 4:08 pm
Hmm, it’s very interesant but i not understand when “[haX0r]$ cat \|ls\ -al”, the query executed is part of perl?,
Regards,
June 20th, 2007 at 5:31 pm
@George - you need to encode < to be < for it to show up. Yes it is well known that perl has that issue however I’ve never heard about it in quite this way, but I don’t think most people think about it - especially in this case.
@Mrgat0x - I’m not sure I understand your question.
June 20th, 2007 at 8:55 pm
“@George - you need to encode < to be <”
Should you be doing that?
June 20th, 2007 at 9:43 pm
Personally, I always use the 3 part form in all scripts, even one-liners. I’ve always thought this was common practice, but maybe not… I’m disgusted with anyone who doesn’t use it in real applications… Then again, I’m sure some people do…
Cheers,
Mr. Orwell
June 20th, 2007 at 10:56 pm
Will that do the same in PHP?
June 21st, 2007 at 7:55 am
@Chris - you can thank the legacy wordpress codebase for that, maybe I’ll add it to my long list of things I need to modify.
June 23rd, 2007 at 7:54 am
@Steve - why not test it out and find out for yourself?
June 26th, 2007 at 8:51 pm
interesting, interesting……..
June 29th, 2007 at 2:39 pm
and if you need to call it a .jpg for the filters try something like:
ls>a#.jpg
then to read the output of the command:
cat<a>
June 29th, 2007 at 2:40 pm
huh why has only half of what i said been shown?
June 29th, 2007 at 3:48 pm
You didn’t change < to >
July 2nd, 2007 at 10:52 pm
[fazed]: Mr. Orwell’s comments and RSnake’s reply weren’t enough for you to learn that < and > (}:-]) are special?