Skip to content

Commit 7bdde32

Browse files
carlospolopcarlospolop
authored
Merge pull request #1494 from HackTricks-wiki/update_It_s_Never_Simple_Until_It_Is__Dell_UnityVSA_Pre_A_20251016_124047
It’s Never Simple Until It Is Dell UnityVSA Pre‑Auth Command...
2 parents 1cb04ad + c545eea commit 7bdde32

File tree

1 file changed

+60
-0
lines changed

1 file changed

+60
-0
lines changed

src/pentesting-web/command-injection.md

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -196,8 +196,68 @@ topicurl=setEasyMeshAgentCfg&agentName=;id;
196196
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_injection.txt
197197
{{#endref}}
198198

199+
## Perl backticks/qx// sinks in Apache mod_perl handlers (reachability and exploitation)
200+
201+
Real-world pattern: Perl code builds a shell command string and executes it via backticks (or qx//). In a mod_perl AccessHandler, attacker-controlled request components like $r->uri() can flow into that string. If any branch concatenates raw input and then evaluates it with a shell, you get pre-auth RCE.
202+
203+
Risky Perl execution primitives (spawn a shell when given a single string):
204+
- Backticks / qx//: my $out = `cmd ...`;
205+
- system with a single string: system("/bin/sh -c '...'") implicitly
206+
- open with a pipe: open my $fh, "cmd |" or "| cmd"
207+
- IPC::Open3 with a single string
208+
209+
Minimal vulnerable shape observed in the wild:
210+
```perl
211+
sub getCASURL {
212+
...
213+
my $exec_cmd = "...";
214+
if ($type eq 'login') {
215+
$exec_cmd .= $uri; # $uri from $r->uri() → attacker-controlled
216+
my $out = `$exec_cmd`; # backticks = shell
217+
}
218+
}
219+
```
220+
Key reachability considerations in mod_perl:
221+
- Handler registration: httpd.conf must route requests into your Perl module, e.g. PerlModule MOD_SEC_EMC::AccessHandler and configuration that invokes AccessHandler::handler for a path scope.
222+
- Triggering the vulnerable branch: force the unauthenticated login flow so type == "login" (e.g., omit the expected auth cookie).
223+
- Resolvable path: ensure your request targets a URI that resolves within the configured scope. If Apache never routes the request through the handler, the sink isn’t reached.
224+
225+
Exploitation workflow
226+
1) Inspect httpd.conf for PerlModule/MOD_PERL handler scopes to find a resolvable path processed by the handler.
227+
2) Send an unauthenticated request so the login redirect path is taken (type == "login").
228+
3) Place shell metacharacters in the request-URI path so $r->uri() carries your payload into the command string.
229+
230+
Example HTTP PoC (path injection via ';')
231+
```http
232+
GET /ui/health;id HTTP/1.1
233+
Host: target
234+
Connection: close
235+
```
236+
Tips
237+
- Try separators: ;, &&, |, `backticks`, $(...), and encoded newlines (%0A) depending on quoting.
238+
- If earlier patches quote other args but not the URI in one branch, payloads appended at the end of the string often work: ;id# or &&/usr/bin/id#
239+
240+
Hardening (Perl)
241+
- Do not build shell strings. Prefer argument-vector execution: system('/usr/bin/curl', '--silent', '--', $safe_url) — no shell.
242+
- If a shell is unavoidable, escape strictly and consistently across all branches; treat $r->uri() as hostile. Consider URI::Escape for paths/queries and strong allowlists.
243+
- Avoid backticks/qx// for command execution; capture output via open3/list form if truly needed without invoking a shell.
244+
- In mod_perl handlers, keep auth/redirect code paths free of command execution or ensure identical sanitization across branches to avoid “fixed everywhere but one branch” regressions.
245+
246+
Vulnerability hunting
247+
- Patch-diff modules that assemble shell commands; look for inconsistent quoting between branches (e.g., if ($type eq 'login') left unescaped).
248+
- Grep for backticks, qx//, open\s*\(|\||, and system\s*\(\s*" to find string-based shells. Build a call graph from sink to request entry ($r) to verify pre-auth reachability.
249+
250+
Real-world case: Dell UnityVSA pre-auth RCE (CVE-2025-36604)
251+
- Pre-auth command injection via backticks in AccessTool.pm:getCASURL when type == "login" concatenated raw $uri ($r->uri()).
252+
- Reachable through MOD_SEC_EMC::AccessHandler → make_return_address($r) → getCASLoginURL(..., type="login") → getCASURL(..., $uri, 'login').
253+
- Practical nuance: use a resolvable path covered by the handler; otherwise the module won’t execute and the sink won’t be hit.
254+
199255
## References
200256

257+
- [It’s Never Simple Until It Is: Dell UnityVSA Pre‑Auth Command Injection (CVE‑2025‑36604)](https://labs.watchtowr.com/its-never-simple-until-it-is-dell-unityvsa-pre-auth-command-injection-cve-2025-36604/)
258+
- [Dell PSIRT DSA‑2025‑281 – Security update for Dell Unity/UnityVSA/Unity XT](https://www.dell.com/support/kbdoc/en-uk/000350756/dsa-2025-281-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities)
259+
- [watchTowr Detection Artefact Generator – Dell UnityVSA Pre‑Auth CVE‑2025‑36604](https://github.com/watchtowrlabs/watchTowr-vs-Dell-UnityVSA-PreAuth-CVE-2025-36604)
260+
201261
- [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection)
202262
- [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection)
203263
- [https://portswigger.net/web-security/os-command-injection](https://portswigger.net/web-security/os-command-injection)

0 commit comments

Comments
 (0)