[4343] in WWW Security List Archive
Re: Perl System Call HACKS
daemon@ATHENA.MIT.EDU (Steve Phelps)
Tue Feb 11 08:18:18 1997
Date: Tue, 11 Feb 1997 10:43:13 +0000
To: "Jeff Middleton" <jeffm@sgiserv3.aws.waii.com>
From: Steve Phelps <steve@epic.co.uk>
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
At 07:46 10/02/97 -0800, you wrote:
>Is there a FAQ or information giving some examples as to the way
>a perl script that executes sendmail via a PERL system call can
>be hacked?
>
>What strings are going to be malicious to the sendmail execution?
>Is there a work-around?
>
Set the IFS environment variable to '/', export it:
when the perl script executes:
system('/usr/lib/sendmail blah');
The shell will interpret / as a blank and try and find the command 'usr'
You can verify this easily:
% IFS='/'; export IFS
% /usr/lib/sendmail
usr: not found
Then create a script or binary 'usr' in the path of the environment that the
perl scripts runs in that does something nasty.
Note that this assumes you have a shell from which to launch the perl script
with the modified IFS variable; it would not necessarily work via cgi.
