Skip to content

It’s Never Simple Until It Is Dell UnityVSA Pre‑Auth Command... #1494

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 25, 2025
Merged

It’s Never Simple Until It Is Dell UnityVSA Pre‑Auth Command... #1494

merged 1 commit into from
Oct 25, 2025

Conversation

@carlospolop
Copy link
Collaborator

@carlospolop carlospolop commented Oct 16, 2025

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

Target/Product: Dell UnityVSA (Virtual Storage Appliance). Versions examined via patch‑diff: 5.4.0.0.5.094 (known vulnerable) and 5.5.0.0.5.259 (contained additional vulnerable path). Fixed in 5.5.1 per Dell PSIRT advisory DSA‑2025‑281.
<br/...

🔧 Technical Details

Patch‑diff driven vuln hunting: Compare “vulnerable” vs “patched” builds and focus on modules that build shell commands. Look for inconsistent escaping across branches (e.g., a single if ($type eq "login") path that appends attacker‑controlled data). Backticks are high‑value sinks.

Call‑graph to sink reachability: Start from the sink (getCASURL) and enumerate callers. Observe getCASLoginURL(..., type="login") and trace back to make_return_address($r) where $r->uri() enters. Confirm the web server configuration (PerlModule MOD_SEC_EMC::AccessHandler) ensures the handler executes.

Triggering the pre‑auth path reliably: Omit the auth cookie to force the login redirect so type=="login" is guaranteed. Use a resolvable URI within the handler’s scope; otherwise Apache won’t invoke the module and the sink isn’t reached.

General defensive pattern: Avoid ...

🤖 Agent Actions

I analyzed the repository and updated the most relevant existing page instead of creating a new one.

What I updated

  • File: src/pentesting-web/command-injection.md

  • Change: Added a new subsection “Perl backticks/qx// sinks in Apache mod_perl handlers (reachability and exploitation)” that:

    • Documents risky Perl execution primitives (backticks/qx//, system with single string, open with pipe, IPC::Open3 with single string).
    • Explains mod_perl handler reachability and the importance of handler registration in httpd.conf, pre-auth login flow triggering (type == "login"), and the resolvable path nuance for handler execution.
    • Provides an exploitation workflow and a concise HTTP PoC example.
    • Adds hardening guidance (favor system LIST/argument vectors, avoid backticks, consistent escaping, allowlists).
    • Highlights patch-diff hunting techniques and call-graph tracing to confirm pre-auth reachability.
    • Summarizes the Dell UnityVSA real-world case (CVE-2025-36604) as a concrete example without duplicating the entire blog.

  • References: Appended new references at the end of the same file:

    • watchTowr blog post
    • Dell PSIRT advisory (DSA‑2025‑281)
    • watchTowr Detection Artefact Generator GitHub repository

Why here

  • This belongs under Pentesting Web > Command Injection because it generalizes a technique (Perl backticks in mod_perl handlers) and its reachability patterns, not a product- or CVE-specific page.
  • There was no existing mod_perl/Perl-specific section in HackTricks’ command injection coverage, and adding it enriches the general methodology.

Checks performed

  • Read ≥5 relevant files to align structure/style and find the best location:
    • src/pentesting-web/command-injection.md
    • src/network-services-pentesting/pentesting-web/cgi.md
    • src/pentesting-web/web-vulnerabilities-methodology.md
    • src/network-services-pentesting/pentesting-web/ruby-tricks.md
    • src/pentesting-web/pocs-and-polygloths-cheatsheet/README.md
  • Kept existing structure, added a concise, technique-focused section, and preserved the training banner and existing references.

No new files were created, and only the necessary, high-value technical content was added.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop
Copy link
Collaborator Author

carlospolop commented Oct 16, 2025

🔗 Additional Context

Original Blog Post: https://labs.watchtowr.com/its-never-simple-until-it-is-dell-unityvsa-pre-auth-command-injection-cve-2025-36604/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web > Command Injection > Perl/mod_perl backticks (Apache mod_perl handler reachability)".

Repository Maintenance:

  • MD Files Formatting: 901 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

@carlospolop carlospolop merged commit 7bdde32 into master Oct 25, 2025
@carlospolop carlospolop deleted the update_It_s_Never_Simple_Until_It_Is__Dell_UnityVSA_Pre_A_20251016_124047 branch October 25, 2025 15:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@carlospolop