PrestaShop

Reading time: 5 minutes

Perl backticks/qx// sinks in Apache mod_perl handlers (reachability and exploitation)

Real-world pattern: Perl code builds a shell command string and executes it via backticks (or qx//). In a mod_perl AccessHandler, attacker-controlled request components like $r->uri() can flow into that string. If any branch concatenates raw input and then evaluates it with a shell, you get pre-auth RCE.

Risky Perl execution primitives (spawn a shell when given a single string):

• Backticks / qx//: my $out = cmd ...;
• system with a single string: system("/bin/sh -c '...'") implicitly
• open with a pipe: open my $fh, "cmd |" or "| cmd"
• IPC::Open3 with a single string

Minimal vulnerable shape observed in the wild:

sub getCASURL {
  ...
  my $exec_cmd = "...";
  if ($type eq 'login') {
    $exec_cmd .= $uri;        # $uri from $r->uri() → attacker-controlled
    my $out = `$exec_cmd`;    # backticks = shell
  }
}

Key reachability considerations in mod_perl:

• Handler registration: httpd.conf must route requests into your Perl module, e.g. PerlModule MOD_SEC_EMC::AccessHandler and configuration that invokes AccessHandler::handler for a path scope.
• Triggering the vulnerable branch: force the unauthenticated login flow so type == "login" (e.g., omit the expected auth cookie).
• Resolvable path: ensure your request targets a URI that resolves within the configured scope. If Apache never routes the request through the handler, the sink isn’t reached.

Exploitation workflow

1. Inspect httpd.conf for PerlModule/MOD_PERL handler scopes to find a resolvable path processed by the handler.
2. Send an unauthenticated request so the login redirect path is taken (type == "login").
3. Place shell metacharacters in the request-URI path so $r->uri() carries your payload into the command string.

Example HTTP PoC (path injection via ';')

GET /ui/health;id HTTP/1.1
Host: target
Connection: close

Tips

• Try separators: ;, &&, |, backticks, $(...), and encoded newlines (%0A) depending on quoting.
• If earlier patches quote other args but not the URI in one branch, payloads appended at the end of the string often work: ;id# or &&/usr/bin/id#

Hardening (Perl)

• Do not build shell strings. Prefer argument-vector execution: system('/usr/bin/curl', '--silent', '--', $safe_url) — no shell.
• If a shell is unavoidable, escape strictly and consistently across all branches; treat $r->uri() as hostile. Consider URI::Escape for paths/queries and strong allowlists.
• Avoid backticks/qx// for command execution; capture output via open3/list form if truly needed without invoking a shell.
• In mod_perl handlers, keep auth/redirect code paths free of command execution or ensure identical sanitization across branches to avoid “fixed everywhere but one branch” regressions.

Vulnerability hunting

• Patch-diff modules that assemble shell commands; look for inconsistent quoting between branches (e.g., if ($type eq 'login') left unescaped).
• Grep for backticks, qx//, open\s*(|||, and system\s*(\s*" to find string-based shells. Build a call graph from sink to request entry ($r) to verify pre-auth reachability.

Real-world case: Dell UnityVSA pre-auth RCE (CVE-2025-36604)

• Pre-auth command injection via backticks in AccessTool.pm:getCASURL when type == "login" concatenated raw $uri ($r->uri()).
• Reachable through MOD_SEC_EMC::AccessHandler → make_return_address($r) → getCASLoginURL(..., type="login") → getCASURL(..., $uri, 'login').
• Practical nuance: use a resolvable path covered by the handler; otherwise the module won’t execute and the sink won’t be hit.

References

• It’s Never Simple Until It Is: Dell UnityVSA Pre‑Auth Command Injection (CVE‑2025‑36604)
• Dell PSIRT DSA‑2025‑281 – Security update for Dell Unity/UnityVSA/Unity XT
• watchTowr Detection Artefact Generator – Dell UnityVSA Pre‑Auth CVE‑2025‑36604