7
8

Are Perl backticks or the `system` command vulnerable to the BASH environment variable execution vulnerability? (self.perl)

[deleted] 投稿

When Perl starts a sub-process using the system() function call or the backtick operator (also qx//) does it start a BASH shell and, if so, is it vulnerable to environment variable execution?

全ての 20 コメント
並べ替え:
ベスト
ベスト
トップ
新着
注目
論争中
古い順

[–]minimim 9 ポイント10 ポイント  (0子コメント)

It calls "/bin/sh". If this is provided by bash, yes. If you are in debian or other system where this isn't provided by bash, no.
http://perldoc.perl.org/perlop.html#qx/STRING/

[–]linuxwhisperer 4 ポイント5 ポイント  (0子コメント)

im not a big fan of using back ticks for exec; much rather explicitly pass arguments to system as an array, rather then hope arguments are interpreted correctly.

having said that, from perldoc -f system:

 system PROGRAM LIST
        Does exactly the same thing as "exec LIST", except that a fork is
        done first and the parent process waits for the child process to
        exit. Note that argument processing varies depending on the number
        of arguments. If there is more than one argument in LIST, or if
        LIST is an array with more than one value, starts the program
        given by the first element of the list with arguments given by the
        rest of the list. If there is only one scalar argument, the
        argument is checked for shell metacharacters, and if there are
        any, the entire argument is passed to the system's command shell
        for parsing (this is "/bin/sh -c" on Unix platforms, but varies on
        other platforms). If there are no shell metacharacters in the
        argument, it is split into words and passed directly to "execvp",
        which is more efficient.

confirming:

~$ perl -e 'system("pstree -cA");'
-xterm---bash---perl---pstree
~$ perl -e 'system("pstree -cA; ls -l /tmp/");'
-xterm---bash---perl---sh---pstree

so, on the surface: no, it is not vulnerable because its using /bin/sh and not /bin/bash

if your system /bin/sh is symlinked to /bin/bash.. you might be in for some pain.

i think it is good practice to wipe $ENV and set it explicitly before invoking system(), avoids any shenanigans Just In Case.

[–]paul345 3 ポイント4 ポイント  (3子コメント)

It depends.

If it's a simple backtick/qr/system of a single command such as $now=date then perl just performs a clone/exec without bringing sh into the mix. Equally, $now=date -u is handled in the same way.

However, if the command being evaluated includes shell metacharacters like $ then perl passes everything via sh -c. For linux systems where /bin/sh mainly (always?) symlinks to /bin/bash, you're now in trouble.

Here's an example script with a safe and unsafe backtick:

#!/usr/bin/perl
$var=`/bin/echo bob`;
$var=`/bin/echo \$myvar`;

And here's strace proving where sh comes in:

strace -f ./tester.pl  2>&1|grep echo
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
[pid 13597] execve("/bin/echo", ["/bin/echo", "bob"], [/* 18 vars */] <unfinished ...>
[pid 13598] execve("/bin/sh", ["sh", "-c", "/bin/echo $myvar"], [/* 18 vars */]) = 0
[pid 13598] execve("/bin/echo", ["/bin/echo"], [/* 17 vars */]) = 0

And given we're on centos in this exmaple, sh is really bash:

$ ls -l /bin/sh
lrwxrwxrwx. 1 root root 4 Sep 23 21:01 /bin/sh -> bash

(edit for more examples...)

Thinking more broadly in perl you have to look for any place where you're asking perl to evaluate something with shell metacharacters. The following deliberately bad code is vulnerable as perl will ask sh -c to evaluate the $myconfigfile line:

open(RES,"grep something \$myconfigfile|") or die;

[–]roerd 1 ポイント2 ポイント  (0子コメント)

On Debian-based systems, /bin/sh is usually dash.

[–]masta 0 ポイント1 ポイント  (1子コメント)

when bash is invoked as /bin/sh, it switches to posix compliance mode. Not sure that matters much here, the bug might be a systemic bash'ism even in compliance mode. Worth verifying though

[–]SwellJoe 0 ポイント1 ポイント  (0子コメント)

The bug exists in either mode.

[–]wschroed 2 ポイント3 ポイント  (1子コメント)

Had to come up with the right context... the issue is with the shell loading in the subprocess:

$ cat poc.pl
#!/usr/bin/env perl
use strict;
use warnings FATAL => 'all';

$ENV{x} = '() { :;}; echo vulnerable';
system("echo test one");
system("perl -e 'system(\"echo test two\")'");

$ perl poc.pl
test one
vulnerable
test two

[–]blue_2501 0 ポイント1 ポイント  (0子コメント)

Perl's system command does some extra checks on the command to see if it needs to use bash. If it has some sort of extra characters or unusual format, it will fire up a shell. Otherwise, I think it just try to run the command directly to save on fork overhead.

[–]scrottie 0 ポイント1 ポイント  (0子コメント)

Original poster was referring to this:

https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability

http://www.kb.cert.org/vuls/id/252743

I missed that when responding initially. I hadn't seen this bit of news yet.

Short answer, yes.

[–][deleted] 0 ポイント1 ポイント  (10子コメント)

The correct answer is "doesn't matter, patch bash ASAP." It's an easy fix assuming your distro has released an update.

[–]7fb2adfb45bafcc01c80 1 ポイント2 ポイント  (2子コメント)

Except the updates aren't all complete yet.... :(

[–]blue_2501 0 ポイント1 ポイント  (0子コメント)

Half fixed is better than nothing. Besides, most black-hatters will be trying the first exploit.

[–][deleted] 1 ポイント2 ポイント  (0子コメント)

You should still update... some protection is better than none. It takes a minute or two tops.

[–]scrottie 1 ポイント2 ポイント  (6子コメント)

You're apparently not familiar with the concept of shell injection exploits.

A shell will always execute commands. That's what it's for. This isn't something that can be fixed without ruining the shell. This is a problem though when user input to a program (like a web app) makes it all of the way to the shell where it is interpreted by the shell. Obviously, input from random web users should not be going to the local command shell.

system(), open() and other calls in Perl are available in "one argument version" and "three argument versions". That's a simplification, but this for example bypasses shell and runs the program directly:

system '/bin/ls', '-la';

Or more in general:

system '/bin/ls', @user_supplied_args;

Even then, it's a really good idea to do validation on the user supplied args and make sure that they contain reasonable values.

Bypassing shell is precisely what you need to do.

For backticks where you capture the output, use IPC::Open2 or IPC::Open3 instead. perldoc them for examples. There are probably some Tiny:: or Simple:: modules that do the same thing now and are easier to use with less crufty documentation.

[–][deleted] 0 ポイント1 ポイント  (3子コメント)

I'm glad you think you're a genius, however, people should still be patching their shit instead of watching you show us all how smart you think you are. Jesus I hate this industry sometimes.

[–]scrottie 1 ポイント2 ポイント  (2子コメント)

Two/three arg open isn't genius. It's strongly recommended for all uses, and the single arg flavors are there for one-liners and back compat.

Anyway, I came back to apologize to you because I just saw http://seclists.org/oss-sec/2014/q3/656. I haven't read enough to understand what they're talking about, but I first commented here, I wasn't aware that there was a CVE. They might just be talking about what I'm talking about.

You're welcome to yell at me if it makes you feel better, but in general, please try to be patient with people who make time to try to help other people with code. We sometimes make mistakes and misunderstand questions, but we're still volunteering time to try to help save other people from frustration. Thank you.

[–][deleted] 2 ポイント3 ポイント  (1子コメント)

Since you seem to be a reasonable human being, sorry for yelling at you. I've spent half my day patching servers that I'm not technically responsible for because other people have decided to have 'technical analysis meetings' to 'assess threat' rather than, you know, installing the f---ing patch... meanwhile if someone gets into our system that doesn't belong there, I'm going to be the one they wake up in the middle of the night. So I'm a little testy.

Edit: and yes, technically speaking, from a security standpoint you should use the form that doesn't invoke the shell. Very few people obey that, though.

[–]scrottie 0 ポイント1 ポイント  (0子コメント)

Duh. They should assess the threat and plan the response to being completely fucking vulnerable before it happens.

So that's how I found out that I'm spending the night fixing code. Wheee!

chmod ugo-rx `ack -l system`;killall -HUP starman

First line of defense.

Usually I see something on front page here or my Twitter feed or something. Usually I don't stumble in to a question like "Are Perl backticks or the system command vulnerable to the BASH environment variable execution vulnerability?" with no references.

https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability

http://www.kb.cert.org/vuls/id/252743

[–]neverbetterthanks 0 ポイント1 ポイント  (1子コメント)

This is very good advice.

I come down very hard on devs in my team using backticks or single arg system calls, if they are unnecessary (and they generally are).

This exploit is only way that inappropriate use of the shell is dangerous from perl (and other languages).

system ("grep $somepattern $somedir > /tmp/results");

Is tremendously convenient. But where does $somepattern and $somedir come from? Are they from the user? Might one of them be "blah ; rm -rf /"?

When you invoke the shell you startup a massive piece of software, with huge amounts of functionality. Do you know all of it? Do you know how to properly escape the above so it doesn't get executed by the shell? Do you understand the implications of unicode input data? Do you even know what shell the user might be using? No, you don't. If you see someone escaping tainted data to pass to the shell you should immediately see that as a massive defect and a security hole waiting to happen - because it is.

On top of that, do you know your environment? Do you know your users environment? Do you know what happens if they have a different PATH? A different IFS? Can you control that?

The reason why people use the shell when they don't need to is for IO redirection - and that's when you use IPC::Open* as /u/scrottie says. Learn them, they aren't optional - if you actually care about your code being secure.

None of these have anything to do with the recent bash exploit. Using the shell unnecessarily has always been a source of problems. Obviously though, if you never use the shell from perl, you don't need to worry about the state of bash exploits :-)

[–]scrottie 0 ポイント1 ポイント  (0子コメント)

I still haven't found a good technical description of the exploit in question. Have a reference for me?

Edit: I was off base when I posted then. I thought the question was about the general case of shell injection vulnerabilities. I only read something vague about the environment factoring in after I posted that.

Update:

https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability

http://www.kb.cert.org/vuls/id/252743