PrestaShop

Reading time: 5 minutes

Perl backticks/qx// sinks in Apache mod_perl handlers (reachability and exploitation)

Mfano wa ulimwengu halisi: Perl code inajenga mnyororo wa amri za shell na kuiendesha kupitia backticks (au qx//). Katika mod_perl AccessHandler, vipengele vya ombi vinavyodhibitiwa na mshambuliaji kama $r->uri() vinaweza kuingia kwenye mnyororo huo. Ikiwa tawi lolote linaunganisha input mbichi kisha kulitathmini kwa shell, unapata pre-auth RCE.

Vigezo hatari vya utekelezaji vya Perl (vinaweza kuzindua shell wakati vinapopokea mnyororo mmoja):

• Backticks / qx//: my $out = cmd ...;
• system with a single string: system("/bin/sh -c '...'") kwa chaguo-msingi
• open with a pipe: open my $fh, "cmd |" or "| cmd"
• IPC::Open3 with a single string

Muundo mdogo dhaifu uliotambuliwa katika uhalisia:

sub getCASURL {
...
my $exec_cmd = "...";
if ($type eq 'login') {
$exec_cmd .= $uri;        # $uri from $r->uri() → attacker-controlled
my $out = `$exec_cmd`;    # backticks = shell
}
}

Mambo muhimu ya upatikanaji katika mod_perl:

• Handler registration: httpd.conf lazima ielekeze maombi kwenye module yako ya Perl, kwa mfano PerlModule MOD_SEC_EMC::AccessHandler na usanidi unaoitisha AccessHandler::handler kwa wigo wa path.
• Triggering the vulnerable branch: chochea mtiririko wa login bila uthibitisho ili type == "login" (kwa mfano, absenti cookie ya uthibitisho inayotarajiwa).
• Resolvable path: hakikisha ombi lako linaelekezwa kwa URI inayotatuliwa ndani ya wigo uliowekwa. Ikiwa Apache haitoi ombi kupitia handler, sink haitafikiwa.

Exploitation workflow

1. Inspect httpd.conf for PerlModule/MOD_PERL handler scopes to find a resolvable path processed by the handler.
2. Send an unauthenticated request so the login redirect path is taken (type == "login").
3. Place shell metacharacters in the request-URI path so $r->uri() carries your payload into the command string.

Mfano HTTP PoC (path injection via ';')

GET /ui/health;id HTTP/1.1
Host: target
Connection: close

Vidokezo

• Jaribu separators: ;, &&, |, backticks, $(...), na encoded newlines (%0A) kulingana na quoting.
• Ikiwa patches za awali zilikuwa zinanukuu arg nyingine lakini si URI kwenye tawi moja, payloads zinazoongezwa mwishoni mwa string mara nyingi hufanya kazi: ;id# au &&/usr/bin/id#

Kukaza usalama (Perl)

• Usijenge shell strings. Tumia argument-vector execution: system('/usr/bin/curl', '--silent', '--', $safe_url) — no shell.
• Ikiwa shell haiwezi kuepukika, escaping ifanywe kwa ukali na kwa uthabiti katika branches zote; chukulia $r->uri() kama hostile. Fikiria URI::Escape kwa paths/queries na strong allowlists.
• Epuka backticks/qx// kwa ajili ya command execution; chukua output kupitia open3/list form ikiwa inahitajika kweli bila kuanzisha shell.
• Katika mod_perl handlers, weka auth/redirect code paths zisizo na command execution au hakikisha sanitization sawa katika branches zote ili kuepuka regressions za “fixed everywhere but one branch”.

Kuchunguza udhaifu

• Patch-diff modules zinazojenga shell commands; tafuta inconsistent quoting kati ya branches (mfano, if ($type eq 'login') iliyokuwa haijafungiwa).
• Grep kwa backticks, qx//, open\s*(|||, and system\s*(\s*" kutafuta string-based shells. Jenga call graph kutoka sink hadi request entry ($r) ili kuthibitisha pre-auth reachability.

Kesi ya maisha halisi: Dell UnityVSA Pre-auth RCE (CVE-2025-36604)

• Pre-auth command injection via backticks katika AccessTool.pm:getCASURL wakati type == "login" ilichanganya raw $uri ($r->uri()).
• Inafikiwa kupitia MOD_SEC_EMC::AccessHandler → make_return_address($r) → getCASLoginURL(..., type="login") → getCASURL(..., $uri, 'login').
• Ukweli wa vitendo: tumia path inayoweza kupatikana iliyo chini ya handler; vinginevyo module haitatekelezwa na sink haitafikiwa.

References

• It’s Never Simple Until It Is: Dell UnityVSA Pre‑Auth Command Injection (CVE‑2025‑36604)
• Dell PSIRT DSA‑2025‑281 – Security update for Dell Unity/UnityVSA/Unity XT
• watchTowr Detection Artefact Generator – Dell UnityVSA Pre‑Auth CVE‑2025‑36604